[Mapserver-users] JavaScript vs MapScript for interfacedevelopment...

Fri Jun 27 16:22:34 EDT 2003

"Before starting to develop an application that relies on JavaScript to
run, please search the archives of your local CERT and mailing lists
like Bugtraq and Full Disclosure for the keywords 'javascript' and/or
'active scripting'. Happy reading."

Did you try this yourself?  "JavaScript" and "active scripting" are two entirely different technologies.  Unfortunately, part of the problem is that most users get their information from us techies who don't always do a good job of differentiating things, so users end up being told to be afraid of everything.

I went to www.cert.org and searched all advisories for "javascript".  There were 8 hits.  By contrast, searching on "active scripting" returns 86 hits.

Excluding the summaries and passing references to JavaScript, there were actually 3 CERT advisories related to JavaScript - CA-1996-05, CA-1996-07, and CA-1997-20.  There hasn't been a CERT advisory on a JavaScript vulnerability in six years.  If you're using a browser newer than Netscape 2.02, it appears none of this advisories applies <g>.

	- Ed

Ed McNierney
President and Chief Mapmaker
TopoZone.com / Maps a la carte, Inc.
73 Princeton Street, Suite 305
North Chelmsford, MA  01863
ed at topozone.com
(978) 251-4242 

-----Original Message-----
From: Thorsten Fischer [mailto:thfischer at mapmedia.de]
Sent: Friday, June 27, 2003 10:37 AM
To: Palle Due Larsen
Cc: niklas wörmann; mapserver-users at lists.gis.umn.edu
Subject: Re: [Mapserver-users] JavaScript vs MapScript for
interfacedevelopment...

On Fri, 2003-06-27 at 10:38, Palle Due Larsen wrote:
> It is my opinion that JavaScript is the solution that intrudes the least
> on the user's browsing experience. If I want to copy something from a
> WebPage with JavaScript onto the clipboard, I just do it. On a Flash
> page or in an Applet I don't have that opportunity. The same goes for
> searching on the page and viewing the source. Today we are in a
> situation where the major browsers are pretty standards-compliant. It is
> not very hard to make a JavaScript-driven site that runs both in IE5.5+
> and netscape 6.0+. See http://vestamt.carlbro.dk as an example (for the
> fortunate few who understand Danish).

Not having looked at that site yet, I want to add the following:

Before starting to develop an application that relies on JavaScript to
run, please search the archives of your local CERT and mailing lists
like Bugtraq and Full Disclosure for the keywords 'javascript' and/or
'active scripting'. Happy reading.

Bottom line is: there are _a lot_ of good reasons to have javascript
turned off entirely. Every week a new security hole appears in one
browser or another (IE for example has 19 unpatched security holes at
the moment, some of them known for several months), and some of them are
related to client-side scripting languages (mostly in combination with
the completely broken 'zones' concept).

Requiring the user to have javascript activated to use a web application
can have one of two effects. First, the user may think: 'they require me
to do things i do not want' and go elsewhere. Not exactly the effect
desired by the developers. The second possibility is that they think 'so
many apps require javascript, i better turn it on or I will be left
behind', thus destroying the small, slowly growing plant of security
awareness among computer users worldwide (growing plant? well i am not
known for the quality of my english metaphors).

If you, after careful consideration, really think that you _need_ things
like javascript, please make sure that you establish an alternative
version of your application, maybe with reduced functionality, that the
users can choose from. I, like many others, am terribly sick of
applications that were made by obviously unknowing web designers who
think of javascript as an everyday programming and design tool like html
is. It isn't. It has proven to be plainly dangerous again and again and
again. Please let the user choose. 

In addition, John Hockaday already pointed out that most accessibility
guidelines discourage the use of javascript (same goes for html frames,
shockwave flash and so on).

Of course I do understand that our business - creating maps, browsing
them and querying them for the data that they are built from - is a
highly visual one. One could argue - even without being cynical - that a
blind person cannot make too much use of an online map anyway.

The key is to let the user choose.

hth,

thorsten

_______________________________________________
Mapserver-users mailing list
Mapserver-users at lists.gis.umn.edu
http://lists.gis.umn.edu/mailman/listinfo/mapserver-users