Switching off scripts

[Ingo Struck <ingo () ingostruck de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi...

Sorry, that may run out of scope, and I promise this is my
last out-of-scope mail regarding the usage of client side scripts here... :o)

> > (That means that you should encourage all your users to switch off all
> > kind of scripting and don't rely on it within your apps).
>
> That's a bit extreme.  Why not just fix the XSS hole.

Yep. Right. Of course the XSS hole needs to be fixed for all the users
that use client side scripts or keep using it against better knowledge.

The background here is that I never experienced any merit
from using client side scripting anyway:
- - it induces additional security risks
- - it lowers usability significantly
- - it renders sites inaccessible most often
- - it has got severe compatibility problems in nearly any case
  (show me one reasonable script working on three different browsers without
   any "if xyz==navigator.userAgent)

Client side scripting is a nuisance and it is unnecessary.
If you want to have more client side functionality, consider building
"distributed" applications rather than web applications.

Kind regards

Ingo

- -- 
ingo () ingostruck de
Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint
C700 9951 E759 1594 0807  5BBF 8508 AF92 19AA 3D24
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE/O5SahQivkhmqPSQRAkNYAKC63oJeHreTUt1gb/1xvO3C3OkzQACguOEI
z57EiWuLg0I7ZADUPPl5ycI=
=0vxH
-----END PGP SIGNATURE-----