[wellylug] javascript

Donald Gordon don at dis.org.nz
Thu Aug 1 22:20:40 NZST 2002


On Thu, 1 Aug 2002 22:00:33 +1200
"V K" <list0570 at paradise.net.nz> wrote:

> > > Browsing with javascript on is a security risk and should
> > > therefore be avoided. If you must, you get what you described.
> > 
> > Why is it any more so than browsing with, say, HTML rendering turned
> > on?
> 
> Is that a serious question?

Yes.

> With html, all you can do is muck up some screen pixels, or trace the
> viewer indirectly by linking to spy-images (these are often 1x1 pixel
> gifs, their only purpose is to let the site owner know that you viewed
> the page). It's not possible to steal data from your disk or damage
> files.

Theoretically, javascript imposes similar limitations.  There are no
means (to my knowledge) in the client-side Javascript specification for
accessing data on the local system (beyone setting an HREF in a tag to
point to the local disk, and that should't allow the javascript code to
directly process that data).

> With javascript, oh boy, keep in mind that you are executing an
> unknown program on your computer. Would you just download any binary
> from the web / friends / etc and run it on your box? Clearly not, only
> Microsofties do that.

If it was to run inside a sandbox (which I had some reasonable level of
trust in), yes.  Javascript scripts aren't "any binary".

> Of course, there is supposed to be a safety-shell around the
> javascript programs. Does it work? Does it hold? Do you know? There
> have been cases where the javascript implementation was faulty and
> allowed malicious code to steal things from your disk (this includes
> cookies to which this page should not have access). Executing other
> programs on your computer is also a possibility (IIRC). Plus all those
> obnoxious popups...

Yes; but there can be bugs in your HTML parser and renderer and
supporting infrastructure, too, that could allow an attacker to get
control of your PC (although admittedly not in as nearly a portable
fashion as some javascript implementation bugs) - for example, the
Windows bug that would cause accesses to C:\[device]\[device] to crash
the system.  By allowing *any* untrusted data onto your PC you are
facing a potential security risk.  Javascript has been around for a
while, its implementations are becoming more mature (and some of them
allow you to disable those pop-ups); I'm not sufficiently paranoid to
turn it off entirely.

don

-- 
Name: Donald Gordon  | "You know, it's a shame, 99.
SMTP: don at dis.org.nz |   All this could have been avoided."
PSTN: +64212610345   | "How?" "If only he had used
IPv6: 3ffe:b80:704:: |   his leg for good, instead of evil."

  .-.   Wellington
  /V\   Linux
 // \\  Users       
/(   )\ Group
 ^^-^^
        http://wlug.paradise.net.nz/

To unsubscribe from this group, send an email to:
wellylug-unsubscribe at egroups.com
  

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 




More information about the wellylug mailing list