[thelist] Site check: Staples.com

Shawn K. Quinn skquinn at speakeasy.net
Tue Sep 20 01:57:45 CDT 2005


On Tue, 2005-09-20 at 16:20 +1000, Ken Schaefer wrote:
  [I wrote:]
> > And there is absolutely none of this that requires Javascript to do a
> > redirect.
> 
> There may be some reason why it's there (it might be some functionality
> supplied OOB by an application), and there's no compelling cost/benefit
> reason to change it

There is. It's broken. You buy a car with an obvious defect straight out
of the factory, the dealership fixes it at no cost, paid for by the
company that made it. I don't think it's unreasonable to expect software
companies to work the same way.

> > It's rather well known that letting any
> > old site run Javascript on your system is poor security practice
> 
> No, it's not a "poor security practice". 

Yes it is, the same way running every program you get in an e-mail is
poor security practice.

> It's a risk, like everything you do, and every piece of functionality
> you want from your software. Risks are there to be managed, avoided or
> passed to something else. What might not be acceptable to you is
> perfectly acceptable to me - I certainly have javascript enabled in my
> browser.

I do, for sites that I trust, and only sites that I trust. Everybody
else falls back to the non-script alternative.

> I think that's largely irrelevant to someone running a large web site. Anyone
> running a large scale public site would be obtaining metrics on what browsers
> people are using, and what functionality they have enabled. My experience is
> that people with your setup are in a tiny minority.

So are people with >$1,000,000 annual income. Are you as quick to write
them off as a tiny minority?

-- 
Shawn K. Quinn <skquinn at speakeasy.net>



More information about the thelist mailing list