21.2 Restricted Features
As I've already
mentioned, the first line of defense against malicious scripts in
restrictions on certain features that it does support. For example,
Window object, but most (hopefully all) web-browser implementations
restrict this method so that a script can close only a window that
was opened by a script from the same web server. In particular, a
script cannot close a window that the user opened; if it tries to do
so, the user is presented with a confirmation box asking if he really
wants to close the window.
The most important of these security restrictions is known as the
same-origin policy and is described in the
next section. The following is a list of the other security
restrictions found in most implementations of
definitive list. Each browser may have a slightly different set of
restrictions, and the proprietary features of each browser may well
have proprietary security restrictions to go along with them.
The History object was originally
designed as an array of URLs that represented the complete browsing
history of the browser. Once the privacy implications of this became
apparent, however, all access to the actual URLs was restricted, and
the History object was left with only its back( ),
forward( ), and go( ) methods
to move the browser through the history array without revealing the
contents of the array.
The value property of the
FileUpload object cannot be set.
If this property could be set, a script could set it to any desired
filename and cause the form to upload the contents of any specified
file (such as a password file) to the server.
A script cannot submit
a form (using the
submit( ) method of the
Form object, for example) to a mailto: or
news: URL without the
user's explicit approval through a confirmation dialog box.
Such a form submission would contain the user's email address,
which should not be made public without obtaining the user's
user confirmation unless it opened the window itself. This prevents
malicious scripts from calling self.close( ) to
close the user's browsing window, thereby causing the program
script cannot open a window
that is smaller than 100 pixels on a side or cause a window to be
resized to smaller than 100 pixels on a side. Similarly, such a
script cannot move a window off the screen, or create a window that
is larger than the screen. This prevents scripts from opening windows
that the user cannot see or could easily overlook; such windows could
contain scripts that keep running after the user thinks they have
stopped. Also, a script may not create a browser window without a
titlebar, because such a window could be
made to spoof an operating-system dialog box and trick the user into
entering a sensitive password, for example.
A script may not
cause a window or frame to display an about:
URL, such as about:cache, because these URLs can
expose system information, such as the contents of the
any of the properties of an Event object. This
prevents scripts from spoofing events. A script cannot register event
listeners within for or capture events for documents
loaded from different sources than the script. This prevents scripts
from snooping on the user's input (such as the keystrokes that
constitute a password entry) to other pages.