JavaScript considered harmful (was Re: New online index to Beazley's tutorials)

Aahz Maruch aahz at panix.com
Tue Jan 8 09:19:39 EST 2002 

In article <mailman.1010497345.23256.python-list at python.org>,
Chris Gonnerman <chris.gonnerman at newcenturycomputers.net> wrote:
>From: "Aahz Maruch" <aahz at panix.com>
>> In article <mailman.1010494751.14448.python-list at python.org>,
>> Chris Gonnerman <chris.gonnerman at newcenturycomputers.net> wrote:
>>>
>>>I'm with Alex here... particularly since you don't store "all that
>>>customizing information" on the client machine.  Generally I store an
>>>apparently random bit of data (the primary key value of the database
>>>record where the primary identification of the user is stored).  Small 
>>>and unobtrusive, but it gets the job done.  Lacking a valid value for 
>>>this cookie, I force the user to enter username and password.
>> 
>> So how do you handle it when users don't permit cookies?  You refuse to
>> let them have customized pages?  You still need a session ID in the URL.
>> Why not just give them a bookmarkable page?
>
>Well, you're forcing an admission of sorts... I found cookies too
>limiting in the last such project I worked on and I used basically 
>what you suggest.

<grin>

>Still, I feel that calling cookies "evil" (not your words I don't 
>think, but your intention as I understand it) seems extreme to me.
>Another poster (lost his name, sorry) complained about all the 
>statistical information which can be compiled using them.  What 
>about the 1-pixel-camera trick?  Turning off cookies isn't going to
>affect that.

Note that I don't even call JavaScript evil.  I just point out how
useless and dangerous JavaScript is, and let people draw their own
conclusions.  ;-)  Seriously, my only objection to JavaScript is when
it's *required*; ditto for cookies.  If people want to create a
JavaScript-enhanced or cookie-enhanced browsing experience, that's fine
with me.

As for the 1-pixel trick, turning off images deals with *that* problem
(or, preferably for me, just using Lynx).  But, yeah, that's evil, and
there's no simple solution other than designing a browser that warns you
of off-site links (which I think some do).

>I debated explaining this here, but "security through obscurity" 
>naturally doesn't work.  The bad guys already know these tricks.

You did the Right Thing.  ;-)
-- 
                      --- Aahz  <*>  (Copyright 2002 by aahz at pobox.com)

Hugs and backrubs -- I break Rule 6                 http://www.rahul.net/aahz/
Androgynous poly kinky vanilla queer het Pythonista   

"There are time when effort is important and necessary, but this should
not be taken as any kind of moral imperative."  --jdecker

More information about the Python-list mailing list