JavaScript considered harmful (was Re: New online index to Beazley's tutorials)
Aahz Maruch
aahz at panix.com
Tue Jan 8 09:19:39 EST 2002
In article <mailman.1010497345.23256.python-list at python.org>,
Chris Gonnerman <chris.gonnerman at newcenturycomputers.net> wrote:
>From: "Aahz Maruch" <aahz at panix.com>
>> In article <mailman.1010494751.14448.python-list at python.org>,
>> Chris Gonnerman <chris.gonnerman at newcenturycomputers.net> wrote:
>>>
>>>I'm with Alex here... particularly since you don't store "all that
>>>customizing information" on the client machine. Generally I store an
>>>apparently random bit of data (the primary key value of the database
>>>record where the primary identification of the user is stored). Small
>>>and unobtrusive, but it gets the job done. Lacking a valid value for
>>>this cookie, I force the user to enter username and password.
>>
>> So how do you handle it when users don't permit cookies? You refuse to
>> let them have customized pages? You still need a session ID in the URL.
>> Why not just give them a bookmarkable page?
>
>Well, you're forcing an admission of sorts... I found cookies too
>limiting in the last such project I worked on and I used basically
>what you suggest.
<grin>
>Still, I feel that calling cookies "evil" (not your words I don't
>think, but your intention as I understand it) seems extreme to me.
>Another poster (lost his name, sorry) complained about all the
>statistical information which can be compiled using them. What
>about the 1-pixel-camera trick? Turning off cookies isn't going to
>affect that.
Note that I don't even call JavaScript evil. I just point out how
useless and dangerous JavaScript is, and let people draw their own
conclusions. ;-) Seriously, my only objection to JavaScript is when
it's *required*; ditto for cookies. If people want to create a
JavaScript-enhanced or cookie-enhanced browsing experience, that's fine
with me.
As for the 1-pixel trick, turning off images deals with *that* problem
(or, preferably for me, just using Lynx). But, yeah, that's evil, and
there's no simple solution other than designing a browser that warns you
of off-site links (which I think some do).
>I debated explaining this here, but "security through obscurity"
>naturally doesn't work. The bad guys already know these tricks.
You did the Right Thing. ;-)
--
--- Aahz <*> (Copyright 2002 by aahz at pobox.com)
Hugs and backrubs -- I break Rule 6 http://www.rahul.net/aahz/
Androgynous poly kinky vanilla queer het Pythonista
"There are time when effort is important and necessary, but this should
not be taken as any kind of moral imperative." --jdecker
More information about the Python-list
mailing list