ietf-smtp
[Top] [All Lists]

Re: Requesting comments on draft-cheney-safe-02.txt

2009-08-01 10:19:33

Hector Santos wrote:

Well, all bets are off. That is why I think you may be blowing against the wind here. WEB 2.0+ direction is too strong. The market is certainly caring less for Web 1.0 only support and would rather (because it is less costly) just spit out a message:

    Sorry, Javascript is enabled to use this site.


I meant that to say:

    Sorry, Javascript is REQUIRED to use this site.

Today, if a user is concern about reaching a site with hidden cross domain operations, they can use the browser's No Scripting options like newer IE and FireFoxes with the most excellent NoScript plugin.

At the end of the day, either you allow the site to run as it was designed if you want to be part of it, or just ignore it if you are concern about its cross domain behavior. i.e, FACEBOOK - either you want to be part of it or you don't because it relies are strong interactive behavior and TONS of cross domain communications.


Let me illustrate how BAD it has gotten.

I have all the browsers installed on my machine for testing purposes against our hosting products.

For personal usage, I use Firefox with NoScript. With NoScript, if I trust the web site I am hopping to I will click the bottom right status bar NoScript ICON and it will list the main site and other cross domains it is trying to reach. It offers me to permanently or temporarily white list the main and/or the others. In general I just white list the main site, not the cross domain sites.

For all these years that worked great. The sites I most visited still were 95% WEB 1.0 compatibility - I could web hop with javascript off by default and only enabled the ones I want to get the job done.

Within the last year, more and more sites are saying the above:

      "Javascript is required."

Now, if I care or needed to continue, I will enable it. Otherwise, forget them.

Today, more and more of the newer sites are completely Web 2.0+ and unless I completely white list them, I mean everything, even the cross site AD request and tracking domains, they will not work. Even with me telling NoScript to opening it up.

Its gotten so bad, I have to use Google Chrome when I want complete unrestricted access to a particular site.

The point?

Google Chrome is the first browser to make it 100% known they do not want users to control their tracking and usage of Javascript to do background communications in a cloud or with their main HQ. Typing at the address bar is now DYNAMIC. It records everything you do. Its part of their model of the future. So I use it when I want full web 2.0 experience and I don't worry about what it is doing (even though I showed how to stop its tracking here):

http://santronics.blogspot.com/2008/09/removing-chrome-spying-activity.html

Other browsers are watching and following suite and overall, its no longer what the user wants but rather trying to convince them there is no harm, "TRUST ME - THE BROWSER" and to change the mindset by having them ignore the idea that they is tons of communications going on. Most user don't even know it is going on and certainly not the new generation - the vendors are betting on it.


--
Sincerely

Hector Santos
http://www.santronics.com