In an opinion article today, Dave Winer contemplates, "Why developers want HTML rendering in the OS" and goes on to explain his experience of sending an email to a group of people. The great thing was, according to Dave, this email included a piece of Javascript that made a call back to a server where it could run a random banner-ad type script, which naturally, displayed a random banner ad right there in your email client!

Dave goes on to give a brief explanation of how this all happened, drops the expected Linux references, and summarizes with thanks to Microsoft for providing the software that is "enabling the revolution."

Revolution? To any security minded person, this is more of a nightmare! How does javascript embedded email constitute a revolution? If anything, allowing javascript to be executed by your email client is a serious compromise of the security of your system. However, I'm not here to talk about the security issues surrounding scriptable email messages, that's been beaten to death already on BugTraq:

On top of the security issues listed above, imagine what kind of javascript enabled spam you could get from people! Now instead of spam email that has a link to the "Make Money Fast" website, your javascript enabled email client parses a document.open function that calls up the "Make Money Fast" website in your browser? Porn pop up windows anyone? You get the idea..

Which developers want HTML email - much less javascript enabled email - in their inbox? The majority of developer mailing lists in fact discourage sending any sort of non-text email, including HTML and javascript encoded email. Why does Dave make such a broad statement claiming that this is what "Developers" want? I am a developer, and Dave sure as hell doesn't speak for me. This article appeared on scripting.com, but I doubt many scripting developers would agree with Dave either. A casual reader, teacher, or executive might stumble across a site about scripting such as scripting.com and think that what Dave is saying is in fact what people that 'script' and 'develop' want.

In summary, I think Dave (as well as companies like Microsoft) should think more about the security and privacy issues that surround a topic like this, and protect us as users first before developing functionality that might put our sensitive information at risk trough the use of an insecure technology such as scriptable email.