Monday, September 25, 2006

The Security provided by Javascript Language


JavaScript only works on things that are in HTML pages or part of the browser. You cannot influence anything that's not contained by the browser. But even within the browser there are some no–go areas. Basically JavaScript wants to protect the privacy of the user by disallowing some actions and asking permission for others:

  1. You cannot read out the history of the browser. Thus a malicious site owner cannot write a script that finds out where you surfed to recently.
    You can go back or forward in the browsing history, but you cannot find out which page you’ll go to.
  2. You cannot do anything in pages that come from another server. So if your frameset contains two pages from two servers, they cannot communicate with each other. Thus a malicious site owner cannot find out which sites you’ve opened in other browser windows. See the frame busting page for some more information.
  3. You cannot set the value of a file upload field (<input type="file">). 
    document.forms[0].upload_field.value = '/my/password/file';
    document.forms[0].submit();

  4. If you try to close a browser window that has not been opened by JavaScript, the user is asked to confirm this action.
    However, this rule isn't implemented in all browsers and is easy to work around in Explorer.
  5. If you try to submit a form to a mail address by JavaScript, the user is asked to confirm this action.
  6. You should not be able to open a new window smaller than 100x100 pixels and/or to position it outside the screen area of the computer. Thus a malicious site owner cannot spawn an invisible window.
    Note that Explorer on Windows (and maybe other browsers, too) does allow this, contrary to safety regulations.

Thus JavaScript is a scripting language for influencing HTML elements, like forms, images, layers, paragraphs and such, and for influencing a few non–HTML objects like the browser window. Nothing more, but (most importantly) nothing less.

Get more information

Tags: javascript, javascript security, html page, web page, password file, malicious site, frame busting, script, frameset, submit form

posted by eshwar @ 11:08 PM   0 comments

0 Comments:

Post a Comment

<< Home