Asp Forum - Web Pages Revisited - microsoft.public.vb.general.discussion

BeeJ

6/10/2011 4:25:00 PM

Thanks for the previous opening discussion.
It is always enlightening to hear all the views. Entertaining too.
But I was really trying to find out if VB was good to use basically.
Now to the real purpose of wanting to use VB6.

For example.
I want to create a website for custom design.
I want to have widgets (images of widgets) that the user can position
(rotate, X,Y, size).
Available Widgets would be selected from a box of widgets.
Then when completed, the user's design would be "sent" to me with a
button press so I could weld it all up and send it to the user.
Shopping cart needed too.
Ambitious, well yes but what the heck, with all you experts this should
be a simple task. Well at least if I could use VB6 to do the
interface.

10 Answers

Mayayana

6/10/2011 6:53:00 PM

| I want to create a website for custom design.
| I want to have widgets (images of widgets) that the user can position
| (rotate, X,Y, size).
| Available Widgets would be selected from a box of widgets.
| Then when completed, the user's design would be "sent" to me with a
| button press so I could weld it all up and send it to the user.
| Shopping cart needed too.
| Ambitious, well yes but what the heck, with all you experts this should
| be a simple task. Well at least if I could use VB6 to do the
| interface.
|
Piece o' cake. You just need to get a website host,
set up your site, add the shopping cart, and sign up
with a payment service. After that there's nothing
left to do but learn javascript and create some
"Web 2.0" pages. Plus you may want to use Flash
to do the rotating. :)

You didn't say what the widgets are. Custom VB
controls? I still don't see how you think you're going
to use VB for any part of this project other than
generating widgets to take screenshots of.

If you can create a local page in IE that allows
you to set up a facsimile of what you want, then
you could work on transfering that online. But I
think you're going to find that even just doing that
is a big undertaking. Interactive webpages are very
work intensive and generally depend on script hacks.
That's why "cloud apps" are still so limited in their
functionality. HTML was not designed for interaction.

(nobody)

6/10/2011 7:07:00 PM

"BeeJ" <nospam@live.com> wrote in message
news:istggj$kqb$1@speranza.aioe.org...
> Thanks for the previous opening discussion.
> It is always enlightening to hear all the views. Entertaining too.
> But I was really trying to find out if VB was good to use basically.
> Now to the real purpose of wanting to use VB6.
>
> For example.
> I want to create a website for custom design.
> I want to have widgets (images of widgets) that the user can position
> (rotate, X,Y, size).
> Available Widgets would be selected from a box of widgets.
> Then when completed, the user's design would be "sent" to me with a button
> press so I could weld it all up and send it to the user. Shopping cart
> needed too.
> Ambitious, well yes but what the heck, with all you experts this should be
> a simple task. Well at least if I could use VB6 to do the interface.

The general way this is implemented is by using Flash, or Java Applets, so
the user doesn't have to download or click on any security prompt. Java
Applets have the problem of being in source

http://en.wikipedia.org/wiki/J...

(nobody)

6/10/2011 7:16:00 PM

"Nobody" <nobody@nobody.com> wrote in message
news:istq1d$d21$1@speranza.aioe.org...
> The general way this is implemented is by using Flash, or Java Applets, so
> the user doesn't have to download or click on any security prompt. Java
> Applets have the problem of being in source
>
> http://en.wikipedia.org/wiki/J...

Clicked Send too soon.

Java Applets source can be viewed, so anyone can duplicate your work. I am
not sure if there are methods to encrypt or obfuscate the source code.

Jason Keats

6/11/2011 12:34:00 AM

Nobody wrote:
> Java Applets source can be viewed, so anyone can duplicate your work. I am
> not sure if there are methods to encrypt or obfuscate the source code.

If you decompile the applet (that was compiled to Java byte code) then
you can view the source. You don't actually distribute Java source code.

Obfuscators attempt to modify the byte code to prevent decompilation.

Jason Keats

6/11/2011 1:04:00 AM

BeeJ wrote:
> I want to create a website for custom design.
> I want to have widgets (images of widgets) that the user can position
> (rotate, X,Y, size).
> Available Widgets would be selected from a box of widgets.
> Then when completed, the user's design would be "sent" to me with a
> button press so I could weld it all up and send it to the user. Shopping
> cart needed too.
> Ambitious, well yes but what the heck, with all you experts this should
> be a simple task. Well at least if I could use VB6 to do the interface.

The only way you could use VB6 is by creating ActiveX controls which, as
others have explained, are only usable in IE on Windows and even then
have security problems - so are not acceptable to most users.

The main alternatives are Java (applets), Flash, Silverlight and
JavaScript (eg http://jqu...).

Only Silverlight allows you to program in VB(.NET).

Schmidt

6/13/2011 9:02:00 AM

"Mayayana" <mayayana@invalid.nospam> schrieb im Newsbeitrag
news:istp2q$gkh$1@dont-email.me...

> Plus you may want to use Flash
> to do the rotating. :)
Not even that is necessary anymore, if he will use the new
HTML(5)/CSS(3) capabilities - as shown for example on:
www.useragentman.com/tests/cssSandpaper/rotateTest.html
(running natively on all the new Browser-Engines with a
small "abstraction-helper" - as in this case: cssSandpaper).

Also the HTML5-canvas-Element supports rotation and
all kind of transforms:
http://www.peterkroener.de/test/canvas...
(I'd probably go with that, since the Canvas-methods
are in better "cross-browser-standardized" shape).

Or SVG is available too (in all the non-IE-engines)- and now
finally supported by IE9 (and onwards) too...
http://double.co.nz/video_test...
(didn't find a link to Vladimir Vukowiczs original example, based
on image- and not video-content anymore).

Or alternatively he can do a server-roundtrip - and perform the
Widget-creation (and rotation) at the serverside, using normal VB6-
Dll/Classes in the backend over a small "COM_Call_delegator.asp" ...
defined in only one line this way:
<% Server.CreateObject("Prog.ID").MySub(Server, Request, Response) ...

The last one the only approach where VB6 would be (fully) involved -
in a LAN-solution surely fast enough - but with regards to e.g. a
"MouseMove-triggered live-rotation directly in the Browser", it would
not work "snappy", when done over "more lagging DSL-connections"
(which have usually a 12-50msec latency with regards to the
server-roundtrip). But if the rotation-angles are limited to
certain "usual degrees" (new rotated Imgs delivered by a click
on a "Degrees-Combo-Box" for example), then such a more
serverside approach would work fast enough also over DSL.

But without at least a bit of "JavaScript-glue" one cannot
write an true interactive browser-solution anymore nowadays -
time to learn this stuff too.

Olaf

Mayayana

6/13/2011 1:24:00 PM

| > Plus you may want to use Flash
| > to do the rotating. :)
| Not even that is necessary anymore, if he will use the new
| HTML(5)/CSS(3) capabilities - as shown for example on:
| www.useragentman.com/tests/cssSandpaper/rotateTest.html
| (running natively on all the new Browser-Engines with a
| small "abstraction-helper" - as in this case: cssSandpaper).
|
| Also the HTML5-canvas-Element supports rotation and
| all kind of transforms:
| http://www.peterkroener.de/test/canvas...
| (I'd probably go with that, since the Canvas-methods
| are in better "cross-browser-standardized" shape).
|

......

| But without at least a bit of "JavaScript-glue" one cannot
| write an true interactive browser-solution anymore nowadays -
| time to learn this stuff too.

It's unfortunate that people have taken to using the
term "HTML5". While it does involve expanded HTML
and CSS abilities, it's still script-driven, as you noted.
So the term HTML5 is confusing. The promise of HTML5
should be that it obviates the need for script, rather
than just expanding the gross overuse of script. There
was a big AJAX fad. Now there's a big HTML5 hoopla. But
while there are actual new tags in HTML5, I don't see
it really solving any problems or greatly increasing what
HTML can do. It's still mostly about extreme javascript
hacks. It's getting to a point where many corporate
webpages are really javascript software, stretching
webpages to places they were never meant to go. If
the events could be increased in CSS and interactivity
could be decreased, they could meet in a happy, safe,
script-free middle. But as it stands now, I don't see any
great promise in HTML5.

Not that Flash is better. That IS software. And Flash is
a big risk in terms of both privacy and security. But it's
misleading to imply that new "technologies" are making
interactive pages more workable; that they're somehow
an improvement over Flash or other embedded software.

It's still a mess. And we're still on a collision course. Thus
far, the desire for convenience has made people bury their
heads about security and privacy issues. And a lot of
people have switched to Macs in the belief that it's a
carefree OS. But something's got to give eventually:

1) Nearly all online security risks, and many privacy intrusions,
require script.

2) Security and privacy problems are increasing in severity.

3) The use of heavily scripted webpages for "cloud software",
banking, shopping, social sites, etc., is increasing.

Which is not to say that people shouldn't learn javascript.
But they should be aware of its limitations before doing
all that work.

Schmidt

6/13/2011 7:11:00 PM

"Mayayana" <mayayana@invalid.nospam> schrieb im Newsbeitrag
news:it52sg$mj3$1@dont-email.me...

[JavaScript necessities...]
> It's unfortunate that people have taken to using the
> term "HTML5". While it does involve expanded HTML
> and CSS abilities, it's still script-driven, as you noted.

Yep, to make good use of many of these "extended tags"
(or elements) - as for example the <canvas> (which is a really
nice addition) - you will have to use JS to get access to Properties
or trigger the new available Methods on these new containers.

> So the term HTML5 is confusing. The promise of HTML5
> should be that it obviates the need for script, rather
> than just expanding the gross overuse of script.
Cannot fully agree on this, since there are some new element-
tags, which offer better functionality, just by "placing them in
normal tag-notation" (for example the new Form-Element-tags
for DateDialog-InputField, ColorDialog-InputField, UpDown-
InputField, etc.).

And on the other hand... what's wrong at all with combined
HTML_DOM + JS usage?

JS is necessary and makes a whole lot of sense, when
you want to spare roundtrips over your serverside code.
There's surely also examples for "overuse of script" out
there, but generally (when used efficiently), it does make
your WebApp faster. For example in clientside validation
(directly "on inputfield-keypress"), or as in direct clientside
rotation of already downloaded img-resources (as in the
canvas-example-link in my last post).

If you take VBs *.frm and *.frx Files - then this is comparable
with "static HTML-Element- and Resource-Definitions" -
and as for a WebApps-StartPage, you can specifiy a
"Startup-Form" in a given VB-Project.

And on App-Load (App-Runtime) you want to react to
Events of some of the "predefined Elements" (in your VB
*.frm File - as well as in a loaded Page on the Elements
of your "static HTML-definition").

To achieve that in VB, precompiled Glue-Code (semi-
interpreted PCode for example) is used, which is included
together with your *.frm-Resources in your "Exe"
(the OS and VB itself providing "runtime-libs" with
predefined functionality).

To achieve (clientside) interaction in a WebApp you just use
a very similar approach - the HTML-Definitions and -Resources
are loaded - and the Glue-Code is usually contained (as
JS-resources in the very same Page) as well.
Hosting-environment then the Browser-engine (no direct
access to OS-libs) - but by manipulating the GUI-DOM-
elements-Properties, pretty similar effects can be achieved
with regards to "dynamically changed visual output on the
GUI".

And for "heavy stuff in the Business-Logic, or accessing a
central DB-Store" in both cases Network-Roundtrips
are performed (in case of a Multi-User-App).

And the "formerly only interpreted" JS-parts are now
boosted to at least the level of VBs PCode-Performance.

> There was a big AJAX fad. Now there's a big HTML5 hoopla.
Yep, these terms were/are somewhat "over-marketed", but
nonetheless (from a pure technical point of view) this is all
"very useful stuff".

> But while there are actual new tags in HTML5, I don't see
> it really solving any problems or greatly increasing what
> HTML can do.
As said, e.g. the new HTML5-Form-Elements are somewhat similar
to: "VB6 with handcoded DateTime- or Color-Dialog-Popups" -
compared with "just using" the appropriate VB6-Controls
from the CommonControls.ocx.
It's just predefined new functionality in the Browser-Engine,
no need to load a ton of JS-Code anymore to achieve the
same Dialog-Popups per "JS-Framework".

New "rounded-corner-, or gradient-definitions"
directly per CSS3 on most Elements spares a lot of
(otherwise to download) "Skin-Resource-Images" and
the appropriate JS-Glue-Code too.

The canvas also allows dynamic creation of complex
image content with a few lines of JS-Code, sparing
the predefinition of appropriate Image-Resources
at the serverside (and also the download of these
resources into the Browser).

So by using the new HTML5-additions (instead of implementing
all of this advanced stuff per JS-Framework) one mainly achieves
a traffic-reduction ("the page loads much faster") effect.

> It's still mostly about extreme javascript hacks.
No, the new CSS3/HTML5-stuff is able to reduce the
amount of these "hacks".

> It's getting to a point where many corporate
> webpages are really javascript software, stretching
> webpages to places they were never meant to go.
Nah, come on...
The Web was always meant to be "interactive" - otherwise
there wouldn't have been a "link-element" (always able to
be placed not only on "text", but also on "form-buttons",
on img-tags, even img-areas, etc.).

And those link-elements were and are performing the "classic
server-roundtrip" (delivering new, "interactive content" ...
containing new links).

"A HTML-Browser" was therefore called exactly that - and not
"a Viewer".

Javascript was included (and used) more and more, to
avoid unnecessary server-roundtrips - to do certain stuff
directly in the Browser-Engine and on the DOM itself.

> the events could be increased in CSS and interactivity
> could be decreased, they could meet in a happy, safe,
> script-free middle. But as it stands now, I don't see any
> great promise in HTML5.
Could you give an example for such an Event - and
where you'd use it in favour of one or two JS-commands?

> Not that Flash is better. That IS software. And Flash is
> a big risk in terms of both privacy and security. But it's
> misleading to imply that new "technologies" are making
> interactive pages more workable; that they're somehow
> an improvement over Flash or other embedded software.
Hmm, those who had to use Flash so far, just to play a
simple "Tutorial-Video" can now use the new <video>-tag ...
those who were using Flash to incorporate clientside
Drawing-Functionality can now use the <canvas>, same for
sound - or games... (just look at googles WebGL-demos,
pretty impressive stuff, and not only for all these "Flash-
Game-Developers").

> It's still a mess.
I agree in so far, that the "committee" works with "glacial speed"
and that they should have included more of these "advanced Widgets"
(Controls) into the new standard - most important an exactly specified
and (much more) powerful DataGrid-tag (similar in usage and method-
count to e.g. the canvas) - the <datagrid> and <datalist> tags are there
in the new standard, but the current browser-implementations are
very poor, compared with what current JS-Frameworks have to offer
in this regard.

> And we're still on a collision course. Thus far,
> the desire for convenience has made people bury their
> heads about security and privacy issues. And a lot of
> people have switched to Macs in the belief that it's a
> carefree OS. But something's got to give eventually:
But these are problems which are more on the "consumer-side" -
they're not "HTML5-inherent" or "plain Javascript-Problems".

When you "go online" somewhere (even posting into this
very NewsGroup), you'll have to trust...
First the Server-Hoster, which is running the machine you're
about to do "requests against", then the "vendor of the concrete
service" (eternal-september for example) - and finally the
(vendor of the) serverside application which implements the
services you want to use (a bit of security's here, when these apps
are from Open Sources and checksum-proven)... next you have to
trust the content you're about to "download" over this application
(in case the provided content is not from the "already trusted"
vendor himself).

> 1) Nearly all online security risks, and many privacy intrusions,
> require script.
I'm sure there's also "zero-day-exploits" out there, which will
work, even when you're running your Browser of choice
with disabled JS (more difficult to write and more costly on
the "black-market", that's for sure).

But as said, if you're surfing "trusted sites", then enabled JS
is a lesser problem than surfing "darker corners of the Web"
with disabled script.

> 2) Security and privacy problems are increasing in severity.
Yep.

> 3) The use of heavily scripted webpages for "cloud software",
> banking, shopping, social sites, etc., is increasing.
That's again the just mentioned problem of calculated
risk - whom you trust - and what you're willing to "pay",
in case "something bad happens nevertheless".

Nobody wears a helmet or even an umbrella when going out
on a sunny day nowadays - why ... just imagine one of these
large airbuses overhead, having a failfunction of the WC-tanks
of the first-class (being entirely full of sh.t ... the tanks I mean...).
It's a situation of calculated risk, everyone is willing to take
apparently.
You also don't fasten your seatbelt, when only repositioning
your car into the next (just discovered) empty parking-space
(because it looks nicer or is 20meters more "near the entrance").

Same thing with all the "JS-enabled WebApps" - or potentially
"data-shredding", or "data-publishing" cloud-services ... as long
as bad things happen only to a very low percentage of users,
nobody cares - it's considered a minor risk (doesn't happen to me).

When you were bitten personally, then "things change" -
but the whole stuff is the same as with telling your kids
about all your experiences with "this and that" - and what
they should "look out for", to avoid "all the scars, you as
their elder already got". Never works as it should (it's
ignored with a mental shrug, considered a "lone voice
in the wilderness"-thingy).
Apparently everybody wants to make their own mistakes,
gets their own scars.
But I'd say this is a blessing in human nature, at least
when you take the position, that "progressing further in
decent speed" is a good thing, generally...

Just imagine all these (grown up) kids, sitting in their homes
(or was it in caves?) - all totally happy that (so far) nothing
bad happened to them, because they've "followed advise" -
(to never go out, until the fruits grew into their open mouths)
Seems not human to me... - not even animals behave in such
a risk-averse manner...;-)

> Which is not to say that people shouldn't learn javascript.
Ack.

> But they should be aware of its limitations before doing
> all that work.
There's (in terms of the language itself) not that much
limitations - it's a pretty powerful, functional language -
running roughly at VB6-PCode-speed in the meantime.
And second, there's just no alternative available in all
these rich Browser-engines nowadays, to glue stuff
together or manipulate the DOM.

Indirect limitations (in terms of security, in case you meant
that) are there, but that's not to blame on the language -
the Browser-vendors have to provide a real sandboxing
environment for it - that's apparently not easy, since so
far most of the "large browsers" were "owned" after
only short time-periods in the "official hacking contest".
http://dvlabs.tippingpoint.com/blog/2011/02/02/pw...
Only googles Chrome (with its sandboxing-approaches)
was surviving the last years - so there's work going on -
and the problem seems not impossible to solve.

Olaf

Mayayana

6/14/2011 3:42:00 AM

| And on the other hand... what's wrong at all with combined
| HTML_DOM + JS usage?
|

As I said, security.

| New "rounded-corner-, or gradient-definitions"
| directly per CSS3 on most Elements

That sort of thing is nice. But it won't be widely
supported for awhile, and it's essentially just frills.

| > the events could be increased in CSS and interactivity
| > could be decreased, they could meet in a happy, safe,
| > script-free middle. But as it stands now, I don't see any
| > great promise in HTML5.
| Could you give an example for such an Event - and
| where you'd use it in favour of one or two JS-commands?
|
The "pseudo classes". I don't know what's available at
this point. The only one I use and know of is :hover. It's
not called an event, but that's how it functions. It allows one
to set styles for when the mouse hovers over an element
I use it to create pop-out menus, similar to the way menus
appear on Windows. It could also be used for rollovers. That's
a degree of responsiveness that doesn't need script.
(Though it doesn't work in IE6 and I'm not sure about IE7.
IE6 only recognizes :hover for A tags. So I use script for menus
in IE and :hover for menus in all other browsers.)

When HTML5 was originally planned I had hoped that it
would bring events without script -- a degree of interactivity
and dynamic content within the context of harmless layout
directions rather than script.

|
| > And we're still on a collision course. Thus far,
| > the desire for convenience has made people bury their
| > heads about security and privacy issues. And a lot of
| > people have switched to Macs in the belief that it's a
| > carefree OS. But something's got to give eventually:

| But these are problems which are more on the "consumer-side" -
| they're not "HTML5-inherent" or "plain Javascript-Problems".
|
| When you "go online" somewhere (even posting into this
| very NewsGroup), you'll have to trust...
.......
| Same thing with all the "JS-enabled WebApps" - or potentially
| "data-shredding", or "data-publishing" cloud-services ... as long
| as bad things happen only to a very low percentage of users,
| nobody cares - it's considered a minor risk (doesn't happen to me).
|

I realize there's a range of opinion on these issues. Most
people who use script are like you -- they "doth protest too
much" that script is not something to worry about. It doesn't
take long for the tinfoil hat jokes to start. But there's a
deep disconnect between what people are doing online
and what they like to think they're doing online. The risks
and lack of privacy are routinely hidden from a public that
doesn't want to know about them. That's the collision
course.

You want to define the risks as a "consumer-side" problem
rather than a script/interactivity problem. That's a bit like
saying that a car with faulty brakes is a "death problem"
and not a mechanical problem.

Schmidt

6/14/2011 12:45:00 PM

"Mayayana" <mayayana@invalid.nospam> schrieb im Newsbeitrag
news:it6l6b$oie$1@dont-email.me...

> | > the events could be increased in CSS and interactivity
> | > could be decreased, they could meet in a happy, safe,
> | > script-free middle. But as it stands now, I don't see any
> | > great promise in HTML5.
> | Could you give an example for such an Event - and
> | where you'd use it in favour of one or two JS-commands?
> |
> The "pseudo classes". I don't know what's available at
> this point. The only one I use and know of is :hover. It's
> not called an event, but that's how it functions. It allows one
> to set styles for when the mouse hovers over an element...

Ah, yes ... but adding more of this kind of "interactive CSS-
behaviour" would make the CSS-parser more complex,
more vulnerable.
Future attacks would then perhaps not target the Browsers
JS-parser - but attack the CSS-parser instead (with "weird
parameters").

We could then well end up in a situation, where one
recommends, to disable CSS when surfing the Web -
and use JS instead, because it is "more secure in the
meantime"... ;-)

[risks when going online]
> I realize there's a range of opinion on these issues. Most
> people who use script are like you -- they "doth protest
> too much" that script is not something to worry about.
It is not something to not worry about...
But it is needed, when you want to use web-sites, which
load faster, and do more interactive stuff at the clientside
(without stressing the server with additional roundtrips).

The very same sites could be implemented in the
"traditional" way too (without JS, instead performing
a load of normal HTTP-Get and Post-requests to achieve
the required exchange of "interactive DOM-Elements").
But then perhaps nobody would want to use these sites,
due to (much) lower responsiveness.

For example Google could offer also a special GoogleMail-
Client, compiled into a "conventional executable", offered as
a "normal setup-download".
Then potential customers of this service would exchange
potential JS-vulnerabilities to those inherent with
conventionally compiled code.

In both cases you would have to trust the vendor -
(of the JS-containing pages - or in case of a
conventionally compiled GoogleMail-App, the
vendor of this executable you just downloaded).

> But there's a deep disconnect between what people
> are doing online and what they like to think they're
> doing online. The risks and lack of privacy ...
Think we have to draw a line here first, when we talk
about the risks of enabled JS on one hand - and "lack
of privacy" on the other...

Again, JS does not run at the serverside - it does only
run at the clientside, within the Browser in question.
And it serves at the clientside only, to spare roundtrips over
the serverside.

When we talk about "privacy", then we usually mean
"uploaded, private data/information to a given vendors
site or online-service, for (possibly unwanted) storage
at the serverside".

And this task (the upload) can be (and is) ensured also
without any JS, over conventional HTTP-Get/Post requests.

And User-behaviour, User-preference-tracking can be
(and is) ensured without any JS too (cookies).

And that's what i meant with "customer-problem" ... when
*you* type something into a WebForm and press the send-
button, that's your own responsibility - that's not the JS,
which is "entering all that data".

The risk with enabled JS is "only" - when malicious sites
inject - or confront the Browsers JS-Parser with stuff
it chokes on - with the goal to "break out" of the Browser-
process and install something "trojan-like" on the Operating-
system. One other goal (aside from the break-out attempt)
of malicious JS is, to install "cross-site/cross-frame Event-
Listeners *within* the Browser-process", to spy for Key-
Events, typed in a different Page or Frame.

But such attacks can be performed not only against
a Browsers JS-parser - they can also address the CSS-
parser - or address the "Flash-Container" trying to break
out from there - or use prepared Pictures, to break out
from within the PNG- or JPG-decoding-routines...

There's a lot of potentially vulnerable-points in todays
Browsers - the assumption: "with disabled JS im safe"
is a wrong one.
Thinking twice, on what links you click with your Main-
Browser (on your Main-System) is a better strategy.

Most of the customers out there also already run a "personal
firewall" - most of these software-packages already
support an online-filter, which works at the socket-level
and scans incoming HTTP-packets for "malicious signatures"
before they reach the Browsers HTML/CSS/JS parser-
routines - helps a bit, I assume...

All in all, the percentage of bitten users (losing money
for example due to spied out banking-passwords or
whatever) seems yet on a level, which is "bearable"
(by the not affected "broad mass").

> You want to define the risks as a "consumer-side" problem
> rather than a script/interactivity problem. That's a bit like
> saying that a car with faulty brakes is a "death problem"
> and not a mechanical problem.

No, what I want to say is, that
first:
- there's no "interactivity-problem" with JS
(an ajax:RPC-request is finally performing a http-post or a
http-get in the end - and these "server-interactivity-actions"
can also be performed over normal "link-actions" in a
running browser-instance)

and second:
- enabled JS is only one *additional* point, that can widen
the potential attacking-surface of a running browser-instance,
but its not the only one point which is potentially attackable.

To come back to "car-examples": your recommendation is,
to never drive a car, which comes with these new "drive by
wire" brakes (triggered over an electric signal, when you
push the pedal) - since the microprocessor could fail -
or a wire could fail...
But all these cars with this new breaking-mechanism also
support ABS (an advantage), which one would give out
of hand, in case the recommendation is followed, to drive
only cars, which "decelerate normally", over a "pure
mechanical solution").

Hmm, now it is not unknown, that also before the introducion
of the "electronic brake" there were car-accidents due to
failing brakes (leaking hydraulics, failing mechanics).

A good part of these accidents perhaps avoidable, when
normal maintenance intervals would have met (customer-
responsibility).

And of course there was/is also accidents due to failing
"electronic brakes" - and as above ... there's customer
responsibility, to meet maintenance-intervals, where
the cars electronic-components are checked -maybe
exchanged or updated with new firmware.

And yes, these new brakes add a new level of complexity
on top of "already proven stuff" (the mechanic and hydraulic
parts of a brake) - but as said, the new added layer
is necessary for "additional advantages" nobody wants
to miss in a new car (ABS/ESP can help to avoid some
kind of accidents).
It's the responsibility of the vendor, to "harden" this
"additional layer of complexity" over time, to make it robust
and foolproof.

To come back to the browser (vendors) - I think they can
accomplish this goal (to harden the JS-layer) ... Google-
Chrome alreaedy "near there".

But nevertheless, "browsing-accidents" will always happen
(even with a near perfect, hardened JS-Layer) - especially
when the user of a browser is careless, "where to" - and on
which roads he travels (and if his car is well-maintained)...

Olaf

microsoft.public.vb.general.discussion

Web Pages Revisited

BeeJ

Mayayana

(nobody)

(nobody)

Jason Keats

Jason Keats

Schmidt

Mayayana

Schmidt

Mayayana

Schmidt

x Login to ForumsZone