I've done a lot of UI work for an embedded device which explicitly supported IE8. Compare IE8 to Chrome for anything of complexity and you really do realise how slow it is. What would take about 30 seconds in Chrome would be over 10 minutes in IE8.
This of course was doing a lot of XML data processing with XPath and using the Dojo framework. But all in all, JavaScript is mostly compatible, it's the DOM you have to watch, trailing commas and some subtle XML properties such as 'hasAttribute', and of course, don't leave in those console.log statements.
Wrapper the low level stuff and make sure all your developers write consistent code and life will be a lot better.
You make me sit there and wait for the results of a scan of a website and then don't show me it? You then ask me to create an account to view my 2 "borderline-unsecure" vulnerabilities? Ok, account created with dummy email. Oh whats this? I still can't view the results? I have to upload shit to my production site in order to just view the results? Did you even actually find anything wrong?
I understand the security implications of having someone verify they do indeed own the site scanned...but this bait and switch crap is infuriating. If you are going to go down that route, at least message it somewhere...clearly.
You're right regarding the security implications. We can't show vulnerabilities to someone who hasn't verified they own the site they've scanned, unfortunately. We're working on ways to message this better (specifically, having a "Step N of M" with titles for what each step is.
We have some one-off checks that are more 'instant gratification' like our Rails YAML vulnerability check (https://www.tinfoilsecurity.com/railscheck) and we'll be adding more like these in the future.
Sorry you felt it was a bait-and-switch...we'd love to make it up to you. Feel free to email us at support@tinfoilsecurity.com and we'll definitely try to make it right. :)
This of course was doing a lot of XML data processing with XPath and using the Dojo framework. But all in all, JavaScript is mostly compatible, it's the DOM you have to watch, trailing commas and some subtle XML properties such as 'hasAttribute', and of course, don't leave in those console.log statements.
Wrapper the low level stuff and make sure all your developers write consistent code and life will be a lot better.