Chapter 22: JavaScript Security

Overview

Downloading and running programs written by unknown parties is a dangerous proposition. A program available on the Web could work as advertised, but then again it could also install spyware, a backdoor into your system, or a virus, or exhibit even worse behavior such as stealing or deleting your data. The decision to take the risk of running executable programs is typically explicit; you have to download the program and assert your desire to run it by confirming a dialog box or double-clicking the program s icon. But most people don t think about the fact that nearly every time they load a Web page, they re doing something very similar: inviting code ”in this case, JavaScript ”written by an unknown party to execute on their computer. Since it would be phenomenally annoying to have to confirm your wish to run JavaScript each time you loaded a new Web page, the browser implements a security policy designed to reduce the risk such code poses to you.

A security policy is simply a set of rules governing what scripts can do, and under what circumstances. For example, it seems reasonable to expect browsers security policies to prohibit JavaScript included on Web pages downloaded from the Internet from having access to the files on your computer. If they didn t, any Web page you visited could steal or destroy all of your files!

In this chapter we examine the security policies browsers enforce on JavaScript embedded in Web pages. We ll see that these policies restrict JavaScript to a fairly benign set of capabilities unless the author of the code is in some way trusted, though the definition of trusted can vary from browser to browser, and is in any case a somewhat suspect notion.