WebApp Sec mailing list archives
Switching off scripts
From: Ingo Struck <ingo () ingostruck de>
Date: Thu, 14 Aug 2003 15:54:31 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi... Sorry, that may run out of scope, and I promise this is my last out-of-scope mail regarding the usage of client side scripts here... :o)
(That means that you should encourage all your users to switch off all kind of scripting and don't rely on it within your apps).That's a bit extreme. Why not just fix the XSS hole.
Yep. Right. Of course the XSS hole needs to be fixed for all the users that use client side scripts or keep using it against better knowledge. The background here is that I never experienced any merit from using client side scripting anyway: - - it induces additional security risks - - it lowers usability significantly - - it renders sites inaccessible most often - - it has got severe compatibility problems in nearly any case (show me one reasonable script working on three different browsers without any "if xyz==navigator.userAgent) Client side scripting is a nuisance and it is unnecessary. If you want to have more client side functionality, consider building "distributed" applications rather than web applications. Kind regards Ingo - -- ingo () ingostruck de Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint C700 9951 E759 1594 0807 5BBF 8508 AF92 19AA 3D24 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE/O5SahQivkhmqPSQRAkNYAKC63oJeHreTUt1gb/1xvO3C3OkzQACguOEI z57EiWuLg0I7ZADUPPl5ycI= =0vxH -----END PGP SIGNATURE-----
Current thread:
- Re: Custom session tokens and XSS, (continued)
- Re: Custom session tokens and XSS Thomas Chiverton (Aug 13)
- Re: Custom session tokens and XSS Stephen de Vries (Aug 13)
- Re: Custom session tokens and XSS Ingo Struck (Aug 13)
- Re: Custom session tokens and XSS Stephen de Vries (Aug 13)
- Re: Custom session tokens and XSS Cyrill Osterwalder (Aug 13)
- Re: Custom session tokens and XSS PortSwigger (Aug 13)
- Re: Custom session tokens and XSS Ingo Struck (Aug 14)
- Re: Custom session tokens and XSS PortSwigger (Aug 14)
- Re: Custom session tokens and XSS Ingo Struck (Aug 14)
- Re: Custom session tokens and XSS Ian (Aug 14)
- Switching off scripts Ingo Struck (Aug 14)
- Re: Custom session tokens and XSS PortSwigger (Aug 14)
- Re: Custom session tokens and XSS Stephen de Vries (Aug 14)
- Re: Custom session tokens and XSS Ingo Struck (Aug 14)