= 27d567bc2d48d9f40e9ccc20ea370b15)
Vladimir_Nesov comments on Positive Bias Test (C++ program) - Less Wrong
You are viewing a comment permalink. View the original post to see all comments and the full post content.
= 783df68a0f980790206b9ea87794c5b6)
Loading…= b715d02e85f7b3b4ae65ca3d3e450868)
Subscribe to RSS Feed
Powered by Reddit
= f037147d6e6c911a85753b9abdedda8d)
You are viewing a comment permalink. View the original post to see all comments and the full post content.
Comments (75)
Are you aware that with JavaScript, I can get your browser to submit a form to another site you are logged in to, that foolishly only validates sessions by cookies, and the other site will think you wanted to do that, and you would never know it happened?
Knowing this, would you still consider those who don't want JavaScript enabled when visiting sites they don't explicitly trust to be stupid?
It seems you are using this fact as a soldier-argument. The position under discussion is that all things considered, turning scripting off seems to be a wrong decision. Of course there are potential problems, but at the same time, there are working solutions to these problems, and benefits from actually using the technology.
Such as? The only working solutions I know of are server-side, or disallowing javascript and/or cookies.
No, the position under discussion is that turning Javascript off is "just totally stupid". If one can provide good pro tanto reasons for doing so, it is at least not "just totally stupid".
Disallowing Javascript does NOT protect you against CSRF - "Press button to see kittens" form works without any Javascript. The right solution is server-side - auth tokens for all cookie-validated write forms.