E-mail List Archives

Summary - Javascript and security


From: Ben Coutts
Date: Jan 23, 2003 4:46AM

Hi list
Here are the 2 replies I received to my enquiry.
Thankyou for the responses.

I have a question about priority one checkpoint 6.3 -
Ensure that pages are usable when scripts, applets, or other programmatic
objects are turned off or not supported. If this is not possible, provide
equivalent information on an alternative accessible page.

Keeping this in mind, how are security issues dealt with without javascript?
An example of such javascript usage would be logging out from an internet
banking page where it's in the security interests of the user to be logged
out after finishing their tasks.
The problem is compounded by the fact that banks typically have extremely
rigorous security standards. Hence, any solution would have to be
technically robust.

Any technically robust, secure solution will *not* depend on client-side
JavaScript. Period. In fact, a secure solution depends on the assumption
that JavaScript is not available. JavaScript can be used to enhance the
users's experience, handle basic form validation, etc., but by no
means should a developer rely on this. It is too easy for a hacker to
turn off JavaScript and see what they can learn from what happens.
- Sam Buchanan

To summarize we used a combination of
- IP filtering,
- Appropriate firewalls,
- Private key protection,
- and, LDAP look up.

We have a requirement to provide pages to corporate employees nationally,
only those employees that are authorized to access the site. Some of these
employees have a need to load data to the server.

No JavaScript was used for the authentication nor encryption.
- Mark Rew

To subscribe, unsubscribe, or view list archives,
visit http://www.webaim.org/discussion/