[3372] in WWW Security List Archive
Re: Java Script
daemon@ATHENA.MIT.EDU (Jeff Weinstein)
Fri Oct 25 03:54:35 1996
Date: Thu, 24 Oct 1996 22:58:44 -0700
From: jsw@netscape.com (Jeff Weinstein)
Reply-To: jsw@netscape.com
To: Adam Shostack <adam@homeport.org>
CC: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Adam Shostack wrote:
>
> Jeff Weinstein wrote:
> |
> |
> | Royans K Tharakan wrote:
> | > Many of you must be knowing that there is a security bug in Netscape which
> | > allows the web page to send an E-Mail (and address goes along with it)
> | > without warning the user.
>
> | We found this problem a while ago, and it is fixed in
> | the 3.01 release. You now get the warning dialog for all
> | mailto: form submissions.
>
> This sort of thing points out the need for signed code &
> trusted software houses configurable at a sitewide level. Netscape's
> encouraging users to turn on Javascript opens the enterprise to
> weaknesses in the language. If the code needed to be signed, and site
> admins could control whose code was executed, then these problems
> would be more manageable; users could get LS from Netscape, their
> company, and no one else.
>
> Security is more than a bunch of check boxes in the users
> browser. Strong authentication and authorization are important.
Actually this problem has nothing to do with JavaScript. You can
do the same thing without javascript.
We are working on signed code, including javascript.
--Jeff
--
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.
