Justin du Coeur (jducoeur) wrote,
Justin du Coeur

Javascript: how much of a threat is it currently, in practice?

Here's a bigger and more important question, that mindways just reminded me about in a comment. I'm looking for opinions: should Querki permit Javascript on pages?

The thing is, *preventing* Javascript has all sorts of costs. Not only does it mean that I can't let people put arbitrary HTML into pages, it means they can't use arbitrary CSS either. (There are more ways to get Javascript into a page than you may realize -- stripping it out reliably is *very* hard.) For Joe-in-the-street end user that doesn't matter, but for the folks with a little technical skill, trying to build cool and pretty shareable Apps, it's a very serious limitation.

So the question is, in the modern environment, with modern browsers, how *dangerous* is Javascript? I'm already planning that every Space will have its own subdomain, which I believe makes most easy XSS attacks fail. (Since browsers have gotten pretty strict about crossing domain lines.) It *does* mean that Apps will be able to load arbitrary Scripts, which means that they can build fairly arbitrary mash-ups, but that's potentially very powerful and not too terribly different from your average website. (I love the potential for mash-ups -- it means that users can, eg, build Apps that embed Google Maps without waiting for me to build that into the heart of the system.)

So I'm looking for opinions here -- some of you have done more security-wonkery than I, and I'm curious what your take is...
Tags: querki, technology

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded