2015-05-16 0:16 GMT+09:00 stef
webapplications shouldn't exist in the first place, there's OS level binaries that should be used instead. but i totally understand that the time-to-market and the RoI of hiring a bunch of dumb jsdevs is greatly more profitable than doing it right. the incentives of the system subvert and cannibalize the system itself. omnomnom.
Sorry, webapplications are the undeniable future because of how easily and reliably they can be deployed to all devices. It's kind of why the JVM was ever a thing, only much, much better. The experience of transferring and then properly configuring rights to .... oh look at that - hardly any users left since you addressed sandboxing, i'm much more of a fan of reducing the
attack surface than sandboxing. sandboxing should be only used in a defense-in-depth setup, with other factors being more important, like reducing all the layers of cruft underneath.
Sandboxing reduces the attack surface, and the potential of attacks.
attackers are not much deterred by the sandboxing. whereas noscript is indeed in the interest of the user, not the industries.
Sorry, users like features. Users, in fact, like features so much that nothing else actually matters. You can say it's in the interest of users, but users worldwide are disagreeing with you. Users <3 JS. Certain exploits (like the cache-eviction attack recently) are massive breaks in security. It will be patched and all will be fine. So we will continue to find and fix exploits, until perhaps the day that a small subset of features becomes standardized and formally proven. The problem, ultimately, is features. And it will always be features.