I just had a discussion via Twitter about the desired behavior of browsers during an endless javascript loop (e.g. while(true){alert(“test”);}). One of my friends suggested that browsers should correct this kind of code. Browsers should do this in order to prevent endless loops that crash you browser or your operating system.

Horror scenario

This really sounds horrible to me. Whenever I write code I would like to see it executed the way I wrote it, not the way I could have probably thought about it that it should work. If I write lousy code, let the browser crash, let my operating system crash and probably I will learn something of it. In the worst case even valid code could be corrected by the browser since it could match a pattern that is used to filter invalided code blocks. That would be a real developers nightmare: hyper correcting browsers that are adjusting valid code blocks combined with all current known specific browser quirks.

However this hyper correcting behavior could make the web even more insecure. Microsoft will probably implement some protection in Internet Explorer 8, at first sight this is pretty nice, however there are quite some (amateur) developers that ‘test’ their websites in only one browser. After testing it in e.g. Internet Explorer 8 it assumed save and published on the Internet. However when using a different browser XSS is still possible and the visitor can still be harmed by these kind of attacks.

The responsibility of a developer

With all these hyper corrections you will be in the end only safe on the Internet depending on what browser you use. This is incorrect you should always be safe on the Internet no matter what browser you use. The developer is responsible for the security /usability of his web page/ application, not the browser! The browser should only be supportive to visit and use this page / application.