Enough is Enough

I thought my post on javascript might get a reaction out of
some of my visitors. But I still stand by my statements:
Javascript is being used when there are alternatives available.
You don’t need to use javascript to create a submit button, or
a link to the next page, or link to an image. While there may
be some advantage to the web site creator to use javascript,
the security disadvantages to the user, in my opinion, outweigh
the benefits.

Javascript is a security hole waiting to be exploited so why
trade safety of the server against the safety of your
customers? Why not secure the scripting engine on the server
rather than trying to secure thousands of desktop PCs?

Does javascript serve a purpose? Yes. But then, so does
ActiveX or .Net or .ASP. Does that mean I have any of these
(mostly) client-side technologies enabled on my PC? Nope. I
don’t have any figures on how many people have secured their
desktops but I would think it is a growing number as more and
more people realize the security implications of these
features. Each one of these security conscious people is a lost
customer. Are things so regulated that you can dismiss these

There are those who say we shouldn’t throw the baby out with
the bath water. That is, over time, these security exploits
will be found and written around. Perhaps. You could say if you
have server-side Perl
or PHP
running there are exploits possible but, over time, most have
been closed. Which would be true. But these typically exist on
the server, not the desktop and the duty to fix it is with the
writer of the script, not the user.

Which brings me to my last point. I talked earlier about
fiduciary responsibilities. While I am not a lawyer, I would
think forcing someone to open themselves to security exploits,
in order to use their service, opens the service provider to
liability to ensure that doing so does not result in a loss
(economic or otherwise). I can see the lawyers salivating at
the lawsuits now…[Why do you think many sites have
“warranties” that warrant nothing? These warranties are
actually disclaimers saying the sites know nothing, see
nothing, and do nothing. My reaction to these sites is to TURN

Deciding what security exploits are important enough to
disable client-side scripting is up to you. Only you can decide
the costs and the benefits. But I’ve decided that just because
someone wants to use javascript to create a submit button on a
form doesn’t mean I’m going to open my desktop to the exploit
of the week. Enough is enough.


Comments are closed.