[Owasp-leaders] Sites that won't work without Javascript

Juan Calderon juan.calderon at owasp.org
Thu Dec 20 19:17:55 UTC 2012


Hi Guys

We can come up to a middle ground here, as Antonio mentions JS is not evil
by itself, is just certain functionality that allows insecure activities,
so making sure JS code on websites only uses calls to secure methods sounds
like a good middle point for me.

LibreJS sounds like a good idea, and from the development side there is
JSLint to procure code is safe. OWASP mission is to make application
(in)security visible, so I think promoting the usage of secure JS is into
our jurisdiction :)


Regards,
JC


On Thu, Dec 20, 2012 at 9:20 AM, Antonio Fontes <antonio.fontes at owasp.org>wrote:

>
> Hi Vicente,
>
> Agreed, websites should offer a reduced mode that maintains access to
> the content even without JS running.
>
> However, on the question about OWASP encouraging the community to build
> websites that work without JS, I am not sure I can identify the exact
> link with OWASP. This appears to be more motivated by typical
> usability/accessibility good practice than by security concerns. A
> website that requires JS to run is not inherently more insecure (either
> for the company or the client) than one, which does not. We could argue
> that the attack surface gets increased but...that would basically mean
> encouraging website designers to build plain text websites.
>
> When organisations keep forcing their users/customers into enabling JS
> in their browser, well then, basically they lose customers/users.
> Including me, and all those around me that I was able to convince with
> an alternative :)
>
> Antonio
>
>
>
> --
> OWASP Switzerland, board member
> OWASP Geneva, chapter leader
>   skype: antonio.fontes
>
> On 12/20/2012 12:25 PM, Vicente Aguilera wrote:
> > Hello leaderes,
> >
> > Richard Stallman sent me the following message which I reproduce it for
> > your consideration:
> >
> > ===
> > I run into quite a few sites nowadays that won't work without
> > Javascript.  Often WiFi portals do this.
> >
> > Can OWASP help encourage Web designers to make their sites
> > work with Javascript disabled?
> >
> > Also, can it help encourage Web designers to make their sites
> > pass the LibreJS test?
> > ===
> >
> > What's your opinion?
> >
> > Best regards,
> > --
> > _________________________________
> > Vicente Aguilera Diaz
> > OWASP Spain chapter leader
> > CISA, CISSP, CSSLP, ITIL, PCI ASV
> > CEH Instructor, ECSP Instructor, OPSA, OPST
> > vicente.aguilera at owasp.org <mailto:vicente.aguilera at owasp.org>
> > Homepage: http://www.owasp.org/index.php/Spain
> > Mailing list: http://lists.owasp.org/mailman/listinfo/owasp-spain
> > Twitter: @vaguileradiaz
> > Personal website: http://www.vicenteaguileradiaz.com
> > PGP: 0xD21C1EF8 - D1F0 E0B5 2ACC B4B5 57CD  C427 58B7 CF0D D21C 1EF8
> > _________________________________
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20121220/e9ed9a4b/attachment-0001.html>


More information about the OWASP-Leaders mailing list