Although this is certainly not elegant, (but in Microsoft's interest to do so), it sounds like they may want to consider directives that can be placed in a web page that _downgrade_ a browser's capabilities. E.g. - if a header of a page said something like <META Capability:Javascript=NO> or some such thing (I won't quibble about syntax), then it would disallow any javascript further on down. Note, I don't advocate _increases_, which of course would cause all sorts of security headaches. But this way, a site would be able to present data from an untrusted party, knowing confidently it had blocked all Javascript, instead of trying to write code to think of every scenario that might need to be blocked. Now that I think about it, what sorts of security risks might exist (if any) by being able to send messages that have APPLET tags imbedded in them? Might someone be able to create a message with an imbedded applet that looked like it should request userid/password, and since the applet comes from the offending site, thus be able to send the userid/password pair BACK to the offending site (of course for as long as the site was able to stay up before it was attacked :))? Brian Hampson wrote: > I can't see that Hotmail will ever be able to block javascript if this is the > case...think..you could replace any letter, or any combination of letters. > Major coding hassle. ------------------------------------------------------------ Thomas Reinke Tel: (416) 460-7021 Director of Technology Fax: (416) 598-2319 E-Soft Inc. http://www.e-softinc.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:03 PDT