[1663] in WWW Security List Archive
Disable {Java|JavaScript}
daemon@ATHENA.MIT.EDU (Rob Jenson)
Fri Mar 15 16:13:56 1996
Date: Fri, 15 Mar 1996 13:30:32 -0500
From: Rob Jenson <jenson@nasirc.hq.nasa.gov>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
-----BEGIN PGP SIGNED MESSAGE-----
FYI:
Java and JavaScript are two completely different animals (except
perhaps syntactically). The released version of Netscape 2.01 for
UNIX contains a "Disable Java" button and a "Disable JavaScript"
button, both of which work and do what they are supposed (AFAICT).
I assume that the same is true for the Windows 32-bit version, but
I have not actually placed my fingers on that version today.
The Windows 16-bit version has both buttons, but the "Disable
Java" button does not work. That is because there isn't anything to
disable in that version of 2.01 ... Java has not been implemented in
that version. JavaScript has, and the "Disable JavaScript" button
does just that.
The Macintosh version (not the beta test Mac version which I
haven't looked at) of 2.01 has only the "Disable JavaScript" button
and no "Disable Java" button. This is because Java has not been
implemented in that version. JavaScript has, and the "Disable
JavaScript" button works.
AFAIK: JavaScript functionality is included in every platform that
Netscape Navigator 2.01 supports. The "Disable JavaScript" button
exists and works on all of them.
AFAIK: Java functionality is included in the UNIX and Windows
32-bit versions, and can be disabled with the "Disable Java" button.
If there is no Java functionality included, there is no way to disable
it.
From my perspective (personal, professional, whatever), the
releases of Netscape Navigator 2.01 are a significant improvement and
have addressed many, if not all, of the existing concerns of the
computer security community at the time. If something new has been
discovered in the past ten days while they were building 2.01 ... that
is a different pot of spotch.
_rob_
Disclaimer: I don't work for Netscape, they don't often work directly
with me. I only speak for myself, not NASA, Hughes, or the
computer security community. However, Netscape is really getting
beaten up a second time (unfairly) because very few people
understand that Java and JavaScript are not the same thing, and a
problem/fix in one does not affect a problem/fix to the other. By
the same token, you can't disable something that isn't there.
- --
Rob Jenson, Sr. Systems Engineer, Hughes STX Corp.
NASIRC (NASA Automated Systems Incident Response Capability)
E-mail: jenson@nasirc.hq.nasa.gov F:(301) 441-1853 V:(301) 441-4266
Snail: Ste. 400, 7701 Greenbelt Rd., Greenbelt, MD 20770
Get PGP Key from http://www-swiss.ai.mit.edu/~bal/pks-toplev.html
Verify: pub 1717/E7A75FC9 1995/10/25 Rob Jenson <jenson@nasirc.nasa.gov>
Fingerprint: D8 4E 05 2D 98 1B D5 79 D1 27 AB A3 93 E5 75 25
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQDsAwUBMUm3M5+zdHXnp1/JAQGT1QazBuD7n7tPPnBZVMIXEAgxz8XODxXu9vux
47d1iWdlA0OfLh7sk3LU85HmE7pdRfcOGuDb1891iAV4wYEe1cEkXDTDcSsEOyYt
/hheFettjNLDa0o026ezU/ONesMkexq9Z1YdPPSktPID/SSFMwGTT7eNSlLuVVMm
Ps+WulYU3MYQLVzi9jwCnfQzxVCMvSzl49jbjtuid+dn+5HkgpeO+V4vfkIuatcU
+RmKoPyK1q10b1GByFuSd+AP1vYXuHDbrUgWd0Mwq8X5/VIpEMMIFKA4UoRSxNw=
=RpWh
-----END PGP SIGNATURE-----
