JavaScript Security Restrictions

As JavaScript operates within the realm of highly sensitive data and programs, its capabilities have been restricted to ensure that it can’t be used maliciously. As such, there are many things that JavaScript simply is not allowed to do. For example, it cannot read most system settings from your computer, interact directly with your hardware, or cause programs to run.

Also, some specific interactions that would normally be allowed for a particular element are not permitted within JavaScript, because of that element’s properties. For example, changing the value of a form is usually no problem, but if it’s a file input field , writing to it is not allowed at all—a restriction that prevents malicious scripts from making users upload a file they didn’t choose.

There are quite a few examples of similar security restrictions, which we’ll expand on as they arise in the applications we’ll cover in this book. But to summarize, here’s a list of JavaScript’s major limitations and security restrictions, including those we’ve already seen. JavaScript cannot:

❑ open and read files directly (except under specific circumstances, as detailed in Chapter 18).
❑ create or edit files on the user’s computer (except cookies, which are discussed in Chapter 8).
❑ read HTTP POST data.
❑ read system settings, or any other data from the user’s computer that is not made available through language or host objects.1
❑ modify the value of a file input field.
❑ alter a the display of a document that was loaded from a different domain.
❑ close or modify the toolbars and other elements of a window that was not opened by script (i.e., the main browser window).

Ultimately, JavaScript might not be supported at all.

It’s also worth bearing in mind that many browsers include options that allow greater precision than simply enabling or disabling JavaScript. For example, Opera includes options to disallow scripts from closing windows, moving windows, writing to the status bar, receiving right-clicks … the list goes on. There’s little you can do to work around this, but mostly, you won’t need to—such options have evolved to suppress “annoying” scripts (status bar scrollers, no-right-click
scripts, etc.) so if you stay away from those kinds of scripts, the issue will come up only rarely.