As I've already mentioned, the first line of defense against malicious scripts in client-side JavaScript is that the language simply omits certain capabilities. The second line of defense is that JavaScript imposes restrictions on certain features that it does support. For example, client-side JavaScript supports a close( ) method for the Window object, but most (hopefully all) web-browser implementations restrict this method so that a script can close only a window that was opened by a script from the same web server. In particular, a script cannot close a window that the user opened; if it tries to do so, the user is presented with a confirmation box asking if he really wants to close the window.
The most important of these security restrictions is known as the same-origin policy and is described in the next section. The following is a list of the other security restrictions found in most implementations of client-side JavaScript. This is not a definitive list. Each browser may have a slightly different set of restrictions, and the proprietary features of each browser may well have proprietary security restrictions to go along with them.
The History object was originally designed as an array of URLs that represented the complete browsing history of the browser. Once the privacy implications of this became apparent, however, all access to the actual URLs was restricted, and the History object was left with only its back( ), forward( ), and go( ) methods to move the browser through the history array without revealing the contents of the array.
The value property of the FileUpload object cannot be set. If this property could be set, a script could set it to any desired filename and cause the form to upload the contents of any specified file (such as a password file) to the server.
A script cannot submit a form (using the submit( ) method of the Form object, for example) to a mailto: or news: URL without the user's explicit approval through a confirmation dialog box. Such a form submission would contain the user's email address, which should not be made public without obtaining the user's permission.
A JavaScript program cannot close a browser window without user confirmation unless it opened the window itself. This prevents malicious scripts from calling self.close( ) to close the user's browsing window, thereby causing the program to exit.
A script cannot open a window that is smaller than 100 pixels on a side or cause a window to be resized to smaller than 100 pixels on a side. Similarly, such a script cannot move a window off the screen, or create a window that is larger than the screen. This prevents scripts from opening windows that the user cannot see or could easily overlook; such windows could contain scripts that keep running after the user thinks they have stopped. Also, a script may not create a browser window without a titlebar, because such a window could be made to spoof an operating-system dialog box and trick the user into entering a sensitive password, for example.
A script may not cause a window or frame to display an about: URL, such as about:cache, because these URLs can expose system information, such as the contents of the browser's cache.
A script cannot set any of the properties of an Event object. This prevents scripts from spoofing events. A script cannot register event listeners within for or capture events for documents loaded from different sources than the script. This prevents scripts from snooping on the user's input (such as the keystrokes that constitute a password entry) to other pages.
Copyright © 2003 O'Reilly & Associates. All rights reserved.