From: Xavier de P. <xav...@vh...> - 2015-03-26 09:15:25
|
+1 Thanks amette! Xavi On 26/03/15 06:49, Alexander Mette wrote: > Fellow Tikians, > > I read in the Quick-Admin/ellipsis/UX-thread that many are confused > about why JavaScript is an issue. Please let me try to explain. > > You know this, but here goes: Having a web site with JS means that users > download code and execute it on their computer. > > This is one of the main things that makes Windows such a malware > paradise. People are browsing the web, blindly downloading pieces of > software and executing them on their computer. With modern web pages > there is not even the need for people to actively do anything. The code > is embedded in the web page and gets executed automatically. > > >From a security point of view this blatantly dumb. Yes, we only include > useful JavaScript code in Tiki and it doesn't do evil things. But what > about the odd XSS or man-in-the-middle attack that inserts malicious JS > into a trusted Tiki site? > > The best defence is not running foreign code at all. I use NoScript [1] > with a "don't run anything by default" configuration in my browsers. > Amazingly there really are web pages out there that won't be rendered at > all in this configuration and I leave them without reading a single > word. And I am not talking about the cradle of Bootstrap here. Twitter's > basic functionality works without JavaScript. > > And even if you take me for a rabid, tin foil hat wearing idiot for not > believing in the awesome marketing machinery that only wants my best > when it is tracking me and stripping me of my right of informational > self-determination (yes, that is a real basic right in Germany) - think > of the people who have more to loose than this. > > The Tor Browser Bundle ships with NoScript out-of-the-box and it is best > practice to configure it to not run any scripts by default. The only > known deanonymisation attacks against Tor users used JavaScript. Making > JS mandatory for using Tiki will virtually guarantee it not being chosen > for usage by human rights groups. It will make Tiki sites uninteresting > for people in oppressive regimes. Whistle-blowers and people fighting > for freedom of information will turn to other platforms. Even facebook > realises that. [2] > > To me Tiki was always this great tool that could "Run Everything". > Arguably we need these kinds of tools now even more than ever. Please > don't take Tiki off this list by making its basic functionality depend > on running potentially untrusted code in the browser. > > I do understand that there are many features that would be a pain to > maintain in JS and non-JS flavours. But viewing and editing pages, > logging in, uploading files, posting comments and all the other core > functionalities that make Tiki such a great social tool should be usable > without JavaScript. To me this is nothing more than a consequent > interpretation of > > Respect the environment. > > regrds > amette > > tl;dr: Install NoScript and test if your developments make Tiki unusable > for security and privacy conscious users. > > [1] https://noscript.net/ > [2] > https://www.facebook.com/notes/alec-muffett/how-to-use-facebook-over-tor-without-javascript/10152913034535962 |