On 14/01/18 00:14, Eric Rescorla wrote: >> It would be best to kill Javascript entirely, >> given that it's the vector for a myriad of attacks and therefore that >> it's become a best practice to disable it in browsers. > > I would characterize this more as a minority view than a best practice. > Javascript > is ubiquitous throughout the Web. Lamentably true in general, yes. I believe it's less true of the population of IETFers, for example I use NoScript and while I'm willing to allow a browser to run JS hosted by ietf.org, I'm not happy to extend that further, which is called for by the current web content. (And I'd prefer to not have to add an exception for ietf.org were that possible.) Anyway, the point of this mail is to suggest we measure the proportion of IETFers who aren't ok with random JS being run. The reason this isn't a ticket is that it could be that someone already has some data, or that it may be more feasible to measure this via tools.ietf.org or otherwise. And lastly - a bit of full disclosure - I had a chat with Henrik about this while I was on the IESG and said I'd try figure out what could be measured and how, and then promptly dropped that ball;-( Cheers, S. PS: IETFer preferences in this space remain relevant even if the ietf.org site is mainly targeted at non IETFers. -- PGP key change time for me. New-ID 7B172BEA; old-ID 805F8DA2 expires Jan 24 2018. NewWithOld sigs in keyservers. Sorry if that mucks something up;-)
Attachment:
0x7B172BEA.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature