Javascript = poor security

Jake Edge writes about “[Web security vulnerabilities and Javascript](”:

> Various recent, unrelated security issues seem to have a common thread: Javascript.

This has been true for the past several years, and it’s not restricted to Javascript — it has happened with Flash. Our browsers suck down executable code from nearly every web site we visit, and run it. It enables a richer web browsing experience. Although JavaScript, and to a lesser extent, Flash, are somewhat restricted in what they can run on our computers, it opens the potential for abuse. And they have been [abused](, [again]( and [again](

What solutions exist?

1. Stick head in sand.
3. Wait for web site owners and browser manufactures to fix the security problems. And wait. And wait. And wait some more.
2. Use Firefox and the [NoScript]( extension, which disables JavaScript, Flash, Silverlight and other executable code from running. It’s easy to enable JavaScript when needed.

[NoScript]( can turn web browsing into a painful experience. Some web sites don’t function properly without JavaScript enabled. Functionality breakage may be subtle. I once bought movie tickets for the wrong day because I had JavaScript disabled. I still use NoScript.

[NoScript]( has advantages beyond security: I see fewer annoying animated ads, making many web sites more readable.