Hi Derek
    I agree with the replies from Miles, Chris and David that Java and
JavaScript support should be left on in order to provide access to rich,
interactive web services.
   I think that you'll find that many centrally-funded national initiatives
are now using such technologies (e.g. BIDS discovered that many end users
had problems navigating their services when it was based on simple HTML 3.2.
They made a decision to use JavaScript [and frames] in order to improve the
user interface).
    This debate reminds me of a similar one in the early days of TLTP
projects.  We found that TLTP developers were developing applications
(typically MS Windows applications using software such as Toolbook) which
would not run on networked PCs for various reasons (no write permission to
system directories, DLLs not available, DLL conflicts with other
applications, etc.)  A former colleague at Leeds University (Andy Walker)
wrote a document on designing CBL applications for installation on a network
which addressed some of these concerns.
   It seems to me that something similar is needed for web services.
Although an institution can make decisions about the technologies to deploy
(e.g. JavaScript, plugins, etc.) in its own institution (although even that
can be difficult) it's even more difficult to know what policies are
implemented in other institutions.
   Is there a solution to this?  Could, institutions, for example, put up a
list of their policies so that we could get a national picture?  Should
someone be defining national recommendations?
   What do people think?

Brian



------------------------------------------------------
Brian Kelly, UK Web Focus
UKOLN, University of Bath, BATH, England, BA2 7AY
Email:  [log in to unmask]     URL:    http://www.ukoln.ac.uk/
Homepage: http://www.ukoln.ac.uk/ukoln/staff/b.kelly.html
Phone:  01225 323943            FAX:   01225 826838
-----Original Message-----
From: Derek Phillips <[log in to unmask]>
To: [log in to unmask] <[log in to unmask]>
Date: Thursday, November 12, 1998 1:58 PM
Subject: Java and JavaScript Browser Security issues


>We are reviewing our policy with regard to the enabling/disabling of Java
>and Javascript in our supported browser.  The Web Team has had a full and
>wide ranging debate about this, and we believe that we understand the
>issues and implications.  But we find ourselves with a fundamental
>difference of opinion based on the assessment of the security issues.  We
>are thus unable to decide on the best policy to adopt.
>
>To assist us in this we would appreciate it greatly if you could indicate
>what approach you take to the following:
>
>1. What advice do you give users about enabling/disabling Java and
>Javascript in browsers?  Are network browsers supplied with the default
>settings, or with Java/JavaScript disabled?
>
>2. What advice do you give Web authors about using Java/JavaScript in web
>pages?
>
>Our current policy is to disable these languages in the network browser
>(Netscape) and to recommend that they are not enabled.  The argument for
>doing this has been based on a range of security issues.
>
>Thanks.
>
>Derek
>========================================================
>Derek Phillips  -  Web Service Administrator - Web Team
>Cardiff University  -  http://www.cf.ac.uk/
>Email: [log in to unmask] - Tel: 01222 874497
>
>



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%