21.2 Restricted Features
As I've already
mentioned, the first line of defense against malicious scripts in
client-side JavaScript is that the language simply omits certain
capabilities. The second line of defense is that JavaScript imposes
restrictions on certain features that it does support. For example,
client-side JavaScript supports a close( ) method for the
Window object, but most (hopefully all) web-browser implementations
restrict this method so that a script can close only a window that
was opened by a script from the same web server. In particular, a
script cannot close a window that the user opened; if it tries to do
so, the user is presented with a confirmation box asking if he really
wants to close the window.
The most important of these security restrictions is known as the
same-origin policy and is described in the
next section. The following is a list of the other security
restrictions found in most implementations of
client-side JavaScript. This is not a
definitive list. Each browser may have a slightly different set of
restrictions, and the proprietary features of each browser may well
have proprietary security restrictions to go along with them.
The History object was originally
designed as an array of URLs that represented the complete browsing
history of the browser. Once the privacy implications of this became
apparent, however, all access to the actual URLs was restricted, and
the History object was left with only its back( ),
forward( ), and go( ) methods
to move the browser through the history array without revealing the
contents of the array.
The value property of the
FileUpload object cannot be set.
If this property could be set, a script could set it to any desired
filename and cause the form to upload the contents of any specified
file (such as a password file) to the server.
A script cannot submit
a form (using the
submit( ) method of the
Form object, for example) to a mailto: or
news: URL without the
user's explicit approval through a confirmation dialog box.
Such a form submission would contain the user's email address,
which should not be made public without obtaining the user's
permission.
A JavaScript program cannot close a browser window without
user confirmation unless it opened the window itself. This prevents
malicious scripts from calling self.close( ) to
close the user's browsing window, thereby causing the program
to exit.
A
script cannot open a window
that is smaller than 100 pixels on a side or cause a window to be
resized to smaller than 100 pixels on a side. Similarly, such a
script cannot move a window off the screen, or create a window that
is larger than the screen. This prevents scripts from opening windows
that the user cannot see or could easily overlook; such windows could
contain scripts that keep running after the user thinks they have
stopped. Also, a script may not create a browser window without a
titlebar, because such a window could be
made to spoof an operating-system dialog box and trick the user into
entering a sensitive password, for example.
A script may not
cause a window or frame to display an about:
URL, such as about:cache, because these URLs can
expose system information, such as the contents of the
browser's cache.
A script
cannot set
any of the properties of an Event object. This
prevents scripts from spoofing events. A script cannot register event
listeners within for or capture events for documents
loaded from different sources than the script. This prevents scripts
from snooping on the user's input (such as the keystrokes that
constitute a password entry) to other pages.
|