On 01/14/2018 02:18 PM, Eliot Lear wrote:
On 14.01.18 18:21, Keith Moore wrote:
I would characterize it as both best practice and a minority view. We
should never assume that best practice is synonymous with widespread
practice, especially where security is concerned.
Ok, I'll say publicly what I've said privately:
JS serves a purpose. Most forms require some amount of
application-level knowledge to provide the user a good experience, for
instance. Cramming all of that onto the server means delay and less
interactivity, which users hate. Now I would agree with anyone who said
that JS represents a kitchen sink approach, but passing some of the
processing to the browser somehow is to me appropriate. And remember,
this isn't the first attempt at this. We started with Java. Want to
talk about pain?
Not that I disagree; I've certainly written some JS code. And yet, if
its purpose was to allow some improvement on user experience without
compromising the user's security, it has clearly failed. And by now
there is so much market demand for compromising the user's security that
it's far too late to fix JS. It needs to be eradicated.
Keith