2.9 JavaScript Security Restrictions
For security reasons, client-side JavaScript implementations
typically impose restrictions on the tasks that scripts can perform.
The most obvious restrictions are omissions of dangerous
capabilities: there is no way for client-side JavaScript to delete
files on a user's local hard disk, for example.
Other restrictions exist to prevent the disclosure of private
information or to keep scripts from annoying users. There is no
standard set of security restrictions, but the following are
restrictions found in typical browser implementations.
Don't attempt to write scripts that do these things:
even if they work for your browser, they probably
won't work in others.
- Same origin policy
Scripts can only read properties of windows and documents that were
loaded from the same web server. This is a substantial and pervasive
restriction on cross-window scripting, and prevents scripts from
reading information from other unrelated documents that the user is
viewing. This restriction also prevents scripts from registering
event handlers or spoofing events on unrelated documents.
- File uploads
Scripts cannot set the value property of the
FileUpload form element.
- Sending email and posting news
Scripts cannot submit forms to mailto: or
news: URLs without user confirmation.
- Closing windows
A script can only close browser windows that it created itself,
unless it gets user confirmation.
- Snooping in the cache
A script cannot load any about: URLs, such as
about:cache.
- Hidden windows and window decorations
A script cannot create small or offscreen windows or windows without
a titlebar.
Note that this list of security restrictions is not static. As the
use of JavaScript has grown, advertisers and unsavory characters have
started doing annoying things with it. As a result, newer browsers,
such as Mozilla 1.0, allow user-configurable security restrictions
that can prevent scripts from opening new windows (such as pop-up
ads), or from moving or resizing existing windows.
|
No comments:
Post a Comment