[1999] in WWW Security List Archive
Re: Java/Netscape security holes: hole du jour and summary
daemon@ATHENA.MIT.EDU (John Robert LoVerso)
Tue May 7 16:22:15 1996
To: Gene Ingram <gene@hpfsvr01.cup.hp.com>
cc: www-security <www-security@ns2.rutgers.edu>, jsw@netscape.com
In-reply-to: Message from Gene Ingram <gene@hpfsvr01.cup.hp.com>
<318F8793.3D0F@cup.hp.com> .
Date: Tue, 07 May 96 13:51:59 -0400
From: John Robert LoVerso <loverso@osf.org>
Errors-To: owner-www-security@ns2.rutgers.edu
> If that is what you meant, then we're in agreement,
Yup.
As for Netscape's motivation about which section (security vs network)
they belong in, well, that's their call. I originally thought the only
need to disable these would be for security reasons, but Jeff has made
good points on the contrary. The buttons do indeed fit in both
catagories and it doesn't really matter where the buttons are, as long
as they are somewhere.
> Also can I gather then, that you're satisfied
> that Java and JavaScript *each* pose no security risk and therefore no
> longer belong in ``Security''.
If I was satisfied about that, I'd be the first to suggest removing the
buttons altogether. A tiny part of me was still hoping they might
change the defaults to "disabled". These are complicated facilities,
still undergoing lots of changes. Its a safe bet to believe that the
last problems haven't been found (or even introduced yet).
John
