Active-X, JAVA, Javascript, etc....

Edward Wigg e-wigg at evanston.lib.il.us
Wed Oct 30 11:37:41 EST 1996


At 06:05 PM 10/29/96 -0800, Marc Salomon <marc at ckm.ucsf.edu> wrote in reply
to Mark Wilcox <WILCOX at lis.unt.edu>:
....
>|It has many security features built in  for running on a network but like 
>|any fortress it can be defeated.
>
>Like any fortress it excels at one task, defense, while ignoring most
>other, more mundane tasks.  The security features that you point out are
>there because the language has been lobotomized, on the net implementation,
>at least....

This is somewhat unfair; the restrictions (lobotomization if you will) of
JAVAscript is entirely intentional. 

It is pretty much axiomatic that anything that can do useful work can be
subverted into being destructive. This especially true of programming
languages that can control system resources. For example, if you can write
files to a local disk you can overwrite important files, and if you allow
network connections to a third party your computer can be used as a
springboard for attacking another site. For a real world example it is (or
at least used to be) entirely possible to write Postscript files that do
damage -- download something purporting to be a useful document in
Postscript format and have it damage data on your hard drive; not a risk
that most of us consider most of the time, but the logic behind the
lobotomization of JAVAscript.

JAVAscript is an attempt to overcome some of this limitation by creating a
virtual machine which can do useful work but cannot touch outside resources
(the so called sandbox approach). Whether or not this will ever reach a
viable combination of utility and security is anyone's guess, but
complaining because JAVAscript wont't format your disk for you is perverse.

Edward
--------------------------------------------------------------
Edward Wigg                      "Just another guy, you know?"
Evanston Public Library             e-wigg at evanston.lib.il.us
Evanston, Illinois                  



More information about the Web4lib mailing list