Scripting and Web Security
With the introduction of scripting, Internet security has become an extremely
important issue. Currently, browsers create a
sandbox around the scripted page so that it can access only a well-defined set of information. There is no way in
Dynamic HTML to access the client's machine and hard disk beyond a very
well-controlled mechanism known as cookies. Cookies are discussed in Chapter 6, "The
HTML Document."
Even without accessing the user's machine, however, the ability to access
the contents and manipulate a page could have been a security risk. For example, a
page outside a firewall should not be able to access the contents of a page that is
within the firewall. An unauthorized page could access the text of the page and send it
back to the server. The sandbox model requires the pages to be from the same
domain before permitting unlimited access to the contents. This restriction prevents a
document in one frame from accessing a document in another frame if the
documents come from different sites.
To further guarantee security, the object model is limited in a number of
cases. For example, the file upload object allows a user to upload files to the server.
To ensure that the page does not have access to the user's file system, the
value property representing the file to be uploaded is read-only. The
history object that allows Forward and Back buttons to be created does not expose any information about
the URL that is about to be displayed. Additional security restrictions are pointed
out throughout this book.
For those who are very concerned about security, the browser allows users
to turn on and off different features, including Java applets and ActiveX
controls, cookies, and even scripting. The object model can access limited information that
helps it determine the state of the browser and react accordingly. [Содержание]
|
