No Subject

To: www-security@ns2.rutgers.edu
From: jm@circle-slide.indianapolis.sgi.com (jon madison)
Date: Tue, 12 Dec 1995 12:12:05 -0500 (EST)

anyone know more about the security of java/livescript (mocha, whatever)?
i've already heard of a big flaw that was plugged for the latest 2.0beta
that would allow a javascript author to save a history of the
clients travels on the web.  are there any other potential dangers?

i really don't like the fact that this java script is not something
that cannot be chosen to be turned off by the browser, can be embedded in
html pages, etc.

i came across a page once that popped up a (frivolous) error dialog
(some silly words(*)(), but if one were to have a dialog that said something like
"System error, shut down your system now!!!" a naive user may be
taken by surprise, perhaps actually shutting down the machine (thinking
they caught a virus) and losing valuable data, and "that ain't cool".

so,

any more thoughts on this?

j.

(*) here is the relevant source:
<!--
 //alert("Get these flesh eating Yoshies off my face!!")  
 document.write("<CENTER>\n\t<small>Thanks for loading ", Document.location)



-- 
jon madison, se--. mailto:jm@sgi.com, 
URLs: 
http://circle-slide.indianapolis.sgi.com  (in)
http://reality.sgi.com/employees/jm (out)

Follow-Ups:

Re: your mail

From: Michael Kerr <mkerr@largnet.uwo.ca>

Previous: Re: Internet Tunnel Question
Next: Re: source code security
Index(es):
- Index
- Thread