[buug] !*%@ javascript

[Rick Moen]

Quoting Ian Zimmerman (itz at buug.org):

> That works for the tracking subproblem, but that is the easier part to
> solve.  I am also (and more) worried about actual exploits such as XSS
> and CSRF.

When you say 'actual exploits', I hope you realise that cross-site
scripting attacks are not attacks against the Web browsing user, but
rather against Web sites using the user as vector for the attack.

So, although as a good citizen on the Internet, you have a general
incentive to not be a means for doing harm to others, you are not
yourself, personally, at risk from this category of mayhem.

Cross-site request forgeries are, by contrast, more of a direct user
threat.  But that's what RequestPolicy is for.