Javascript security

[Labyrinth]

One guy from C++ related group claims Javascript
is nothing but a horror story as far as security goes.

Is that the case?

I thought it is just a sandbox essentially.

--
Java MFC Goldmine collections contain over 50,000 articles
on Java, C, C++, C#, VC and MFC in over 50 categories.

Tens of thousands of code snippets and examples,
expert opinions and views and tons of relevant links
on each category.

Sites contain only relevant articles on selected topics.
All noise articles were filtered out.

You can find an answer on any issue within minutes,
if not seconds.

JavaGoldmine:
http://javagoldmine.by.ru/index.html

Mirror:
http://tarkus01.by.ru/index.html

MFCGoldmine:
http://mfcgoldmine.by.ru/index.html

Note:

Sites are indexed by Google. To find you exactly the articles
you are looking for, use advanced search and specify site,
e.g. for MFC Goldmine,

Search within a site or domain: mfcgoldmine.by.ru

For Java Goldmine Google searches, use tarkus01.by.ru,
not javagoldmine.by.ru. It has the biggest Google index.

If have problems accessing some article, use the mirror site.

 

[Tim Greer]

One guy from C++ related group claims Javascript
is nothing but a horror story as far as security goes.

Is that the case?

I thought it is just a sandbox essentially.

Did this person speak in terms of security for the client/web surfer of
the web site, or were they speaking in terms of JavaScript in whole, or
do you think they meant that trying to use JavaScript as a web document
to client browser interaction as a method to check passwords or other
credentials is a poor security method? I assume they meant the latter,
where someone could use JavaScript to require a login to continue,
where the surfer could just disable JavaScript and view the page source
to see what content or URL the "authenticated" JavaScript code would
have done next. If so, it is true, in that case, but JavaScript
doesn't have to be all client side, in which case that logic might not
apply. Either way, as a first line of defense, to save some server
side processing, it's not likely a bad idea, but you should still do
the real checking on the server-side (whatever that might mean to you).

 

[Logos]

Did this person speak in terms of security for the client/web surfer of
the web site, or were they speaking in terms of JavaScript in whole, or
do you think they meant that trying to use JavaScript as a web document
to client browser interaction as a method to check passwords or other
credentials is a poor security method?  I assume they meant the latter,
where someone could use JavaScript to require a login to continue,
where the surfer could just disable JavaScript and view the page source
to see what content or URL the "authenticated" JavaScript code would
have done next.  If so, it is true, in that case, but JavaScript
doesn't have to be all client side, in which case that logic might not
apply.  Either way, as a first line of defense, to save some server
side processing, it's not likely a bad idea, but you should still do
the real checking on the server-side (whatever that might mean to you).
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting.  24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!

Just a heads up, Tim - as RobG said in
http://groups.google.com/group/comp.lang.javascript/browse_thread/thread/1437812add21339e?hl=en,
"... the OP is trolling for visitors to a site. A poster with a 23
line signature has suspect motives for posting. "

Tyler Style
http://malthusian-solutions.com
http://nirdvana.com

 

[Tim Greer]

Just a heads up, Tim - as RobG said in
http://groups.google.com/group/comp.lang.javascript/browse_thread/thread/1437812add21339e?hl=en,
"... the OP is trolling for visitors to a site. A poster with a 23
line signature has suspect motives for posting. "

Thanks for that. I hadn't even read down that far, thinking it was a
(normal) signature. I see now what you're talking about after
scrolling down further.