[1227] in WWW Security List Archive
No subject found in mail header
daemon@ATHENA.MIT.EDU (jon madison)
Tue Dec 12 16:17:40 1995
From: jm@circle-slide.indianapolis.sgi.com (jon madison)
To: www-security@ns2.rutgers.edu
Date: Tue, 12 Dec 1995 12:12:05 -0500 (EST)
Errors-To: owner-www-security@ns2.rutgers.edu
anyone know more about the security of java/livescript (mocha, whatever)?
i've already heard of a big flaw that was plugged for the latest 2.0beta
that would allow a javascript author to save a history of the
clients travels on the web. are there any other potential dangers?
i really don't like the fact that this java script is not something
that cannot be chosen to be turned off by the browser, can be embedded in
html pages, etc.
i came across a page once that popped up a (frivolous) error dialog
(some silly words(*)(), but if one were to have a dialog that said something like
"System error, shut down your system now!!!" a naive user may be
taken by surprise, perhaps actually shutting down the machine (thinking
they caught a virus) and losing valuable data, and "that ain't cool".
so,
any more thoughts on this?
j.
(*) here is the relevant source:
<!--
//alert("Get these flesh eating Yoshies off my face!!")
document.write("<CENTER>\n\t<small>Thanks for loading ", Document.location)
--
jon madison, se--. mailto:jm@sgi.com,
URLs:
http://circle-slide.indianapolis.sgi.com (in)
http://reality.sgi.com/employees/jm (out)
