The Sandbox






The Sandbox

Some security measures are browser-dependent or require deliberate action. One such uses digital signatures to sign a script. A signed script is allowed to bypass many of the sandbox security policies associated with JS, including the same-domain policy (depending on browser and access). For instance, this is an approach Ajax developers sometimes use to communicate with server applications located on domains different from the web page initiating the request.

The limitation with signed scripts is the lack of universal support for the concept. Mozilla/Firefox support signing the script, but Internet Explorer does not; IE supports only signing of controls. Other browsers don't support either. This limitation is enough to make the concept impractical for most Internet use.

Most JavaScript developers depend instead on the security policies inherent to all uses of JavaScript, rather than those specific to a particular browser. Among the key elements of the language, and unlike many other languages, JavaScript has no file-access functionality: there is no ability to open, create, or delete a file from the operating system. There are only low-level networking capabilities, such as loading a web page; none allow the language to initiate a connection to another site and transmit data silently.

Same-Origin Security Policy

Restricting the functionality of the language is only the start. As JavaScript has evolved over timeand through painful experienceother policies and procedures have been incorporated into the JavaScript engines to increase language security. One such policy is the same-origin security policy.

Since Netscape 2.0, JavaScript has operated under a policy called the same-origin policy. This policy, which is universally supported in browsers, ensures that there is no communication via script between pages that have different domains, protocols, or ports. The same-origin policy applies to communication between separate pages, or from a parent window to an embedded window, such as frames or iframes.

Why is this restriction so important? If a web site pops open a small window that ends up behind your main page, and you continue on to other sites, such as your bank, JavaScript in that pop-up window could listen in on your activities in that separate page. The same-origin policy prevents this type of snooping by preventing JavaScript in a page opened in one domain from having any access to a page opened in another.

As an example of same origin, if a page opened from a domain such as http://somecompany.com tries to access information from a page accessed from any of the following domains, the JavaScript used would fail:


http://othercompany.com

This would fail because the domain is different: somecompany.com is not the same as othercompany.com.


https://somecompany.com

This would fail because the protocol is different: http is not the same protocol as https.


http://somecompany.com:8080

This would fail because the port is different: the original request did not specify any port in the URL (falling back on the default port, usually 80).


http://other.somecompany.com

This would fail because the host is different; the use of the other hostname (subdomain) changes the host.

Using document.domain

Unfortunately, same origin can work against a site developer's efforts. The use of alternative hostnames with the same domain, known as subdomains, such as about.somecompany.com and help.somecompany.com, is becoming increasingly popular and the last same-origin restriction can become prohibitive. To work around this restriction, there's a property on the document object, domain, which when set, allows subdomain pages to communicate with each otherbut only subdomain pages, and only if the document property and the original host domain match.

If the page containing the JavaScript is accessed through the URL http://admin.somecompany.com, then document.domain can be set to the somecompany.com, which is the domain of the original access. It cannot be set to othercompany.com, which is a different domain.

The following will work:

document.domain = "somecompany.com";

This will not:

document.domain = "othercompany.com";

When set, JavaScript in a page at admin.somecompany.com could then communicate with a page opened at help.somecompany.com.

Luckily, the same origin policy does not apply when linking scripts in from other domains. Scripts can be linked from anywhere, and then are treated as if the JavaScript originates within the pageincluding the same domain for all further communication. Without this ability to link scripts in from other domains, functionality such as Google Maps (covered in Chapter 13) couldn't be implemented.

The policy of same origin does apply, however, to the implementation of cookies.



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows