[thelist] Who really turns off JavaScript?

[Ken Schaefer]

> -----Original Message-----
> From: thelist-bounces at lists.evolt.org [mailto:thelist-
> bounces at lists.evolt.org] On Behalf Of Chris at globet.com
> Subject: Re: [thelist] Who really turns off JavaScript?
> 
> > I'd really like
> > to get some takes on the subject. Web myth or otherwise? You
> > tell me...but I say "myth."
> 
> In answer to the question in the subject line: I do.
> 
> I do this for several reasons, one of which is: I'm curious about the
> dependency on javascript of some websites that I visit. I'm curious
> because these websites hold data about me, and on more than one occasion I
> have found that turning off javascript exposes further serious
> vulnerabilities.

Could I ask what purpose this serves? Are you interested in testing the
vulnerabilities in the web application in question (and giving them data in
the first place would be a bit foolish no?) Or are you interested in avoiding
security issues? (I'm not entirely sure how you'd do that)

> I have personally found that one of the biggest security issues with
> javascript is that dependency on it masks deeper security vulnerabilities
> within the application in question. In addition: if I have javascript
> turned off, I would like the application to handle this state and allow me
> to make the choice of turning javascript on or exiting the application
> rather than simply throwing some kind of exception.
> 
> I draw your attention to point 10 in the following essay:
> 
> <http://www.microsoft.com/technet/archive/community/columns/security/essay
> s/10imlaws.mspx>

Could you clarify how point 10 in that essay backs up a point in your email?
I'm a little confused as to what it correlates to.

Thanks

Cheers
Ken