User responsibilities are basically whether or not to trust your content to run in their machines, leading me back to the security you, the developer, will implement. This ability to trust your content and run or not run your scripts is within the capabilities of the browser; it is a setting in the preferences section of the browser.
The Problem with Frames
When the first instances of frames were implemented on the Internet, it took all of two months for the first major security holes to open up and be recognized by the hacking community. To understand how frames were used to present a security hole is to first understand frames themselves.
The way a web page renders frames is as follows:
- A page with instructions for the frames to be rendered is loaded.
- The addresses and particulars of how the frames will be rendered such as border properties and the placement of the frames themselves is given to the browser.
- The documents that will be used to display the content of the frames are then loaded into the given frames.
- The page is then rendered (displayed) to the browser window.
The Same Origin Policy: Security the Internet Explorer Way
- image: The lowsrc and src properties.
- layer: The src property.
- location: Every property available to location except location.x and location.y.
- window: The find property.
Occasionally, you may have a need to go against the Same Origin Policy to achieve the desired result from your web application. An exception has been made to address this possibility. To access the information within a page created and displayed within one of the page frames, you would use the "document.domain" statement to list a domain that is trusted by the web application and thus the browser. For example, for a page that originated at http://developer.walkthegeek.com to access variables and scripted entities from a page that originated at http://www.walkthegeek.com, you would use the following statement within your function:
document.domain = "walkthegeek.com";
Setting the document.domain property in this way tells the browser to trust all content from the domain www.walkthegeek.com as well as all subdomains of walkthegeek.com, such as the aforementioned developer.walkthegeek.com.
Data Tainting: Security the Netscape Way
Because the Data Tainting is part of your operating system, it cannot be turned on and off through the browser. Examine the following list that states how to enable Data Tainting in the various operating systems. It's really quite easy to do.
- Windows - NS_ENABLE_TAINT=1: Place the statement given in the autoexec.bat file for Windows 3.1X, 95, 98, and NT. For Windows NT, you also may set data tainting as a User Environment variable.
- UNIX - NS_ENABLE_TAINT=1: This one depends on which UNIX shell you are operating with. Basically, you would set an environment variable through the use of the set env or env commands.
- Macintosh: You would remove the two forward slashes before the NS_ENABLE_TAINT statement, which can be found by editing the resource of type envi and number 128 in the Navigator application itself. The NS_ENABLE_TAINT statement should be near the end of the document.
- OS/2 - NS_ENABLE_TAINT=1: Set the given statement in the config.sys file in the root of your startup drive.
Page 1 of 2