[Python-talk] [js] Javascript Uber Alles? Is script without the sandbox a good idea?

Lloyd Kvam lkvam at venix.com
Tue Jul 3 20:06:39 EDT 2007


On Tue, 2007-07-03 at 18:11 -0400, Ben Scott wrote:
> On 7/3/07, Ben Scott <dragonhawk at gmail.com> wrote:
> >   Whether the final ultimate solution is a better JavaScript sandbox,
> > or something else entirely (maybe sandboxed Python -- ha!  on-topic!),
> > I think this kind of thing is inevitable.
> 
>   I should probably temper that by saying that, until such time as the
> issues get sorted out and stable solutions are developed, a stronger
> security stance is a good idea.  Ideally, that means designing sites
> such that they degrade gracefully without JavaScript in the UA, and
> browsing with some kind JS restrictions in place.
> 
>   I tried NoScript myself, for a while.  It seemed like a Good Thing
> at first.  Alas, I found I ended up enabling JS for almost every site
> I visited, which rather defeated the purpose.  So I removed it.  A
> security solution which doesn't work, doesn't work.  (You'd think this
> would go without saying.)

Yeah, my NoScript whitelist contains 1196 lines.  Still, the sites I
visit and trust simply work.  A new site that depends on javascript
either gets closed, given temporary permission, or whitelisted.  It's
not so very different from the decision to load email images, except
Evolution has no whitelist.  I decide on a case-by-case basis.

The security works.  Is it worth the grief?  I've decided yes, but I may
be excessively paranoid.

> 
>   My thinking is there is probably a better solution to the immediate
> problem than the all-or-nothing approach of NoScript.  For example,
> Firefox already has ways to selectively inhibit manipulation of the
> Object Model: Go to "about:config, and search for "dom.disable".  I
> have most of these set to "True".  More along this line seems like a
> good idea.  I don't have the first clue about specifics, though.
> 
> -- Ben
> _______________________________________________
> Python-talk mailing list
> Python-talk at dlslug.org
> http://dlslug.org/mailman/listinfo/python-talk
-- 
Lloyd Kvam
Venix Corp.
1 Court Street, Suite 378
Lebanon, NH 03766-1358

voice:  603-653-8139
fax:    320-210-3409



More information about the Python-talk mailing list