« Mail Call | Main | Cleaning House »

Enough is Enough

I thought my post on javascript might get a reaction out of some of my visitors. But I still stand by my statements: Javascript is being used when there are alternatives available. You don't need to use javascript to create a submit button, or a link to the next page, or link to an image. While there may be some advantage to the web site creator to use javascript, the security disadvantages to the user, in my opinion, outweigh the benefits.

Javascript is a security hole waiting to be exploited so why trade safety of the server against the safety of your customers? Why not secure the scripting engine on the server rather than trying to secure thousands of desktop PCs?

Does javascript serve a purpose? Yes. But then, so does ActiveX or .Net or .ASP. Does that mean I have any of these (mostly) client-side technologies enabled on my PC? Nope. I don't have any figures on how many people have secured their desktops but I would think it is a growing number as more and more people realize the security implications of these features. Each one of these security conscious people is a lost customer. Are things so regulated that you can dismiss these customers?

There are those who say we shouldn't throw the baby out with the bath water. That is, over time, these security exploits will be found and written around. Perhaps. You could say if you have server-side Perl or PHP running there are exploits possible but, over time, most have been closed. Which would be true. But these typically exist on the server, not the desktop and the duty to fix it is with the writer of the script, not the user.

Which brings me to my last point. I talked earlier about fiduciary responsibilities. While I am not a lawyer, I would think forcing someone to open themselves to security exploits, in order to use their service, opens the service provider to liability to ensure that doing so does not result in a loss (economic or otherwise). I can see the lawyers salivating at the lawsuits now...[Why do you think many sites have "warranties" that warrant nothing? These warranties are actually disclaimers saying the sites know nothing, see nothing, and do nothing. My reaction to these sites is to TURN THE DAMNED SCRIPTING OFF.].

Deciding what security exploits are important enough to disable client-side scripting is up to you. Only you can decide the costs and the benefits. But I've decided that just because someone wants to use javascript to create a submit button on a form doesn't mean I'm going to open my desktop to the exploit of the week. Enough is enough.