[Eug-lug] How secure is Javascript?

Jimmy Hendrix jimmythedestroyer at gmail.com
Wed Jul 9 16:03:04 PDT 2008 

Random javascript can definitely be annoying, but as a web app programmer, I
can tell you that it isn't much of a threat these days since it runs in a
fairly restrictive sandbox that, for example, doesn't allow access to the
file system without making a special request to the user for additional
permissions.  From a development perspective, it's kind of a pain, but from
a security perspective it is absolutely nessisary.

The only real javascript threat that I am aware of is cross site scripting
where some malicious javascript tries to post to a different site then the
one you are using.  Modern browsers tend to handle this by only allowing
javascript to communicate with the server it came from.  There are ways to
request permissions to get around that, but again, it will prompt the user
directly for them.

All of what I said ONLY applies to javascript on web sites.  Running a
javascript program locally or even as part of a Firefox plugin will inherit
the permissions of the user most of the time.  So only install trusted
plugins and run trusted scripts locally.  Online you are basically fine as
long as you use an up to date browser like Firefox.

Jimmy

On Wed, Jul 9, 2008 at 3:53 PM, Allen Brown <abrown at peak.org> wrote:

> I am moderately paranoid about allowing web sites run javascript
> in my browser.  (I use NoScript in Firefox.)  Basically I only
> enable it if I know the owner of the site or trust them because
> of who they are.  Examples: personal friends or banks.
>
> Am I being unnecessarily paranoid?  Has Javascript gotten good
> enough that I can let my guard down?  How do you all handle this?
> --
> Allen Brown  abrown at peak.org  http://brown.armoredpenguin.com/~abrown/=
<http://brown.armoredpenguin.com/%7Eabrown/>
>  Criticism may not be agreeable, but it is necessary. It fulfils
>  the same function as pain in the human body. It calls attention
>  to an unhealthy state of things. --- Sir Winston Churchill
> _______________________________________________
> EUGLUG mailing list
> euglug at euglug.org
> http://www.euglug.org/mailman/listinfo/euglug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://euglug.org/pipermail/euglug/attachments/20080709/2c2fcfd6/attac=
hment.htm

More information about the EUGLUG mailing list