[Mapserver-users] JavaScript vs MapScript for interfacedevelopment...

Lars V. Nielsen LVN at hvm.dk
Fri Jun 27 09:38:01 EDT 2003 

> Bottom line is: there are _a lot_ of good reasons to have javascript
turned off entirely. ...

I disagree.
JavaScript may be a pain to handle because of the DOM incompatability
issues, but naming it to be a security risk to be turned off ??

Almost all the security holes in Internet Explorer are related to either
VBScript or ActiveX (or its interplay with IIS), and they're both inherently
desktop entities as opposed to JavaScript that's born and bred for "sandbox
scripting". So in this stuation, I would be much more worried about using
Flash or SVG , since both require an ActiveX plugin to work.

Only plain HTML poses absolutely no security risk (I think), but that's
kinda too spartan for building a nice-looking user interface, imho.

I would be very happy if you could see your way to list just a few of the
latest serious security hazards concerning JavaScript you're referring to.
You might even be able to change my opinion on JavaScript and security :-)

Best regards / Med venlig hilsen
Lars V. Nielsen
--------------------------------------------------------
Hvenegaard & Meklenborg
Rugaardsvej 55, DK-5000 Odense C
Denmark
http://www.hvm.dk
----- Original Message -----
From: "Thorsten Fischer" <thfischer at mapmedia.de>
To: "Palle Due Larsen" <palle at mail-online.dk>
Cc: "niklas wörmann" <nwoe at privat.utfors.se>;
<mapserver-users at lists.gis.umn.edu>
Sent: Friday, June 27, 2003 4:37 PM
Subject: Re: [Mapserver-users] JavaScript vs MapScript for
interfacedevelopment...


> On Fri, 2003-06-27 at 10:38, Palle Due Larsen wrote:
> > It is my opinion that JavaScript is the solution that intrudes the least
> > on the user's browsing experience. If I want to copy something from a
> > WebPage with JavaScript onto the clipboard, I just do it. On a Flash
> > page or in an Applet I don't have that opportunity. The same goes for
> > searching on the page and viewing the source. Today we are in a
> > situation where the major browsers are pretty standards-compliant. It is
> > not very hard to make a JavaScript-driven site that runs both in IE5.5+
> > and netscape 6.0+. See http://vestamt.carlbro.dk as an example (for the
> > fortunate few who understand Danish).
>
> Not having looked at that site yet, I want to add the following:
>
> Before starting to develop an application that relies on JavaScript to
> run, please search the archives of your local CERT and mailing lists
> like Bugtraq and Full Disclosure for the keywords 'javascript' and/or
> 'active scripting'. Happy reading.
>
> Bottom line is: there are _a lot_ of good reasons to have javascript
> turned off entirely. Every week a new security hole appears in one
> browser or another (IE for example has 19 unpatched security holes at
> the moment, some of them known for several months), and some of them are
> related to client-side scripting languages (mostly in combination with
> the completely broken 'zones' concept).
>
> Requiring the user to have javascript activated to use a web application
> can have one of two effects. First, the user may think: 'they require me
> to do things i do not want' and go elsewhere. Not exactly the effect
> desired by the developers. The second possibility is that they think 'so
> many apps require javascript, i better turn it on or I will be left
> behind', thus destroying the small, slowly growing plant of security
> awareness among computer users worldwide (growing plant? well i am not
> known for the quality of my english metaphors).
>
> If you, after careful consideration, really think that you _need_ things
> like javascript, please make sure that you establish an alternative
> version of your application, maybe with reduced functionality, that the
> users can choose from. I, like many others, am terribly sick of
> applications that were made by obviously unknowing web designers who
> think of javascript as an everyday programming and design tool like html
> is. It isn't. It has proven to be plainly dangerous again and again and
> again. Please let the user choose.
>
> In addition, John Hockaday already pointed out that most accessibility
> guidelines discourage the use of javascript (same goes for html frames,
> shockwave flash and so on).
>
> Of course I do understand that our business - creating maps, browsing
> them and querying them for the data that they are built from - is a
> highly visual one. One could argue - even without being cynical - that a
> blind person cannot make too much use of an online map anyway.
>
> The key is to let the user choose.
>
>
> hth,
>
> thorsten
>
>
> _______________________________________________
> Mapserver-users mailing list
> Mapserver-users at lists.gis.umn.edu
> http://lists.gis.umn.edu/mailman/listinfo/mapserver-users
>

More information about the mapserver-users mailing list