Hiya, On 31/05/2025 20:27, John R Levine wrote:
On Sat, 31 May 2025, Stephen Farrell wrote:In my case the human check is about a two second delay and doesn't require that I do anything.It requires you to run JS from CF when you want to talk to IETF servers, and, unless you go to more trouble, to any other server. That may be something you're fine with. I'm unhappy about it. I don't think your or my preferences are inherently better or worse.I think your preferences are fine,
From your last statement about html and email, I suspect you might not, really:-)
but if the alternative is to add lots more servers to handle useless roborequests from bots, I wonder how much we are prepared to spend to let people avoid JS.
That is different from your original point which asserted you had to do nothing. The point about bots has been made already, is real, and may or may not justify expecting us all to allow JS from a non IETF source. (I don't recall being asked at that level of detail, but it's a pretty fine-grained point, so that's not a complaint.)
Honestly, when I consider the way browsers sandbox web pages now, it seems rather 20th c., like no HTML in e-mail.
A default of no html in email is eminently sensible IMO, considering the overall attack surface. The same is true for e.g. using NoScript. Disagreeing with that is fine. Disparaging such positions seems less classy. S.
R's, John
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
