2015-05-16 0:16 GMT+09:00 stef <[1]s@ctrlc.hu>:

   webapplications shouldn't exist in the first place, there's OS level
   binaries
   that should be used instead. but i totally understand that the
   time-to-market
   and the RoI of hiring a bunch of dumb jsdevs is greatly more profitable
   than
   doing it right. the incentives of the system subvert and cannibalize
   the
   system itself. omnomnom.

   Sorry, webapplications are the undeniable future because of how easily
   and reliably they can be deployed to all devices. It's kind of why the
   JVM was ever a thing, only much, much better.
   The experience of transferring and then properly configuring rights to
   .... oh look at that - hardly any users left

   since you addressed sandboxing, i'm much more of a fan of reducing the
   attack
   surface than sandboxing. sandboxing should be only used in a
   defense-in-depth
   setup, with other factors being more important, like reducing all the
   layers
   of cruft underneath.

   Sandboxing reduces the attack surface, and the potential of attacks.

   attackers are not much deterred by the sandboxing. whereas noscript is
   indeed
   in the interest of the user, not the industries.

   Sorry, users like features. Users, in fact, like features so much that
   nothing else actually matters. You can say it's in the interest of
   users, but users worldwide are disagreeing with you. Users <3 JS.
   Certain exploits (like the cache-eviction attack recently) are massive
   breaks in security. It will be patched and all will be fine. So we will
   continue to find and fix exploits, until perhaps the day that a small
   subset of features becomes standardized and formally proven. The
   problem, ultimately, is features. And it will always be features.

References

   1. mailto:s@ctrlc.hu