Section 1.5. The JavaScript Sandbox


1.5. The JavaScript Sandbox

When JavaScript was first released, there was understandable concern about opening a web page that would execute a bit of code directly in your machine. What if the JavaScript included something harmful, such as code to delete all Word documents or worse, copy them for the script originator?

To prevent such occurrences and to reassure browser users, JavaScript was built to operate in a sandbox: a protected environment in which the script can't access the resources of the browser's computer.

In addition, browsers implement security conditions above and beyond those established as a minimum for the JavaScript language. These are defined in a browser-specific security policy, which determines what the script can and cannot do. One such security policy dictates that a script may not communicate with pages other than those from the same domain where the script originated. Most browsers provide the means to customize this policy even further, making the environment in which the script operates more, or less, restrictive.

Unfortunately, even with the JavaScript sandbox and browser security policies, JavaScript has had a rough time, and hackers have discovered and exploited several JavaScript errorssome browser-dependent, some not. One of the more serious is known as cross-site scripting (XSS). This is actually a class of security breaks (some coming through JavaScript, others through holes in the browsers, and still others through the server) that can lead to cookie theft and exposure of client or site data and a host of other serious problems.

We'll look at this later in much more detail, as well as how to prevent XSS, along with other security problems and preventions, and that infamous little goodie, the cookie, in Chapter 8.

The CERT site is the most authoritative on security issues, and the page discussing XSS can be found at http://www.cert.org/advisories/CA-2000-02.html. The CGISecurity.com site has an in-depth FAQ on XSS and can be found at http://www.cgisecurity.com/articles/xss-faq.shtml.


It's important to be aware that JavaScript can be vulnerable, even with the best of intentions on the part of browser vendors. However, this shouldn't dissuade you from using JavaScript; most problems can be prevented by understanding their nature and following steps recommended by security experts.




Learning JavaScript
Learning JavaScript, 2nd Edition
ISBN: 0596521871
EAN: 2147483647
Year: 2006
Pages: 151

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net