> Btw. the example given for IE is a classic example of what is so wrong > with Javascript: you can do anything with it - including e.g. trivial > stealing of passwords by popping up fake login dialogs - _even if it > doesn't make sense in the context_. This alone is a reason to > completely block and disable it. In this paticular case its a beautiful example of how not to configure a web based email system. Javascript does have a sense of security domains and nowdays it even seems to work right (see old stuff with the one line frame snooping on the rest) Untrusted content should be served in a different security domain to the main system. If hotmail handed out its own admin stuff from hotmail.com and the message contents from ifyoutrustthisyouarecrazy.com, things would be a lot safer. I concur however for many of us - not safe enough. Alan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:03:57 PDT