[thelist] Site check: Staples.com
Shawn K. Quinn
skquinn at speakeasy.net
Tue Sep 20 01:57:45 CDT 2005
On Tue, 2005-09-20 at 16:20 +1000, Ken Schaefer wrote:
[I wrote:]
> > And there is absolutely none of this that requires Javascript to do a
> > redirect.
>
> There may be some reason why it's there (it might be some functionality
> supplied OOB by an application), and there's no compelling cost/benefit
> reason to change it
There is. It's broken. You buy a car with an obvious defect straight out
of the factory, the dealership fixes it at no cost, paid for by the
company that made it. I don't think it's unreasonable to expect software
companies to work the same way.
> > It's rather well known that letting any
> > old site run Javascript on your system is poor security practice
>
> No, it's not a "poor security practice".
Yes it is, the same way running every program you get in an e-mail is
poor security practice.
> It's a risk, like everything you do, and every piece of functionality
> you want from your software. Risks are there to be managed, avoided or
> passed to something else. What might not be acceptable to you is
> perfectly acceptable to me - I certainly have javascript enabled in my
> browser.
I do, for sites that I trust, and only sites that I trust. Everybody
else falls back to the non-script alternative.
> I think that's largely irrelevant to someone running a large web site. Anyone
> running a large scale public site would be obtaining metrics on what browsers
> people are using, and what functionality they have enabled. My experience is
> that people with your setup are in a tiny minority.
So are people with >$1,000,000 annual income. Are you as quick to write
them off as a tiny minority?
--
Shawn K. Quinn <skquinn at speakeasy.net>
More information about the thelist
mailing list