January 21, 2021
Hot Topics:

JavaScript Security

  • By Thomas Valentine
  • Send Email »
  • More Articles »

In your evolution as a web developer, you'll run into some security problems eventually. The makers of JavaScript have identified and solved most of the really glaring security holes; the browser vendors have plugged up some the holes themselves, along with adding a certain measure of guaranteed security through browser operations. There are several different approaches to security inherent in JavaScript. Each has its own pros and cons, but as a whole they work pretty well. Some of the security procedures are within the JavaScript interpreter, and some are within the browser itself. As you begin to develop, you (or your employer) will no doubt insist on the implementation of some measure of security. Not taking security considerations into account will lead to tampering. It's a fact, so you have to deal with it. Leaving out security in your development will open your creation (and your company) to tampering. Your site users will not use your offered content when word gets out that they are vulnerable due to your security holes.

The browser runs off of the operating system itself; this means that the file system of the user's machine is a potential target for malicious users. It is entirely possible to access a user's directory listing through JavaScript. Hackers know this, and exploit it on a regular basis. Security starts with your servers, because it is there that the user downloads—and executes upon their machine—your code. Your servers must be tightly controlled and regularly monitored. Your code must be clean, leaving no threads open to outside access. This is the developer's responsibility.

User responsibilities are basically whether or not to trust your content to run in their machines, leading me back to the security you, the developer, will implement. This ability to trust your content and run or not run your scripts is within the capabilities of the browser; it is a setting in the preferences section of the browser.

The Problem with Frames

When the first instances of frames were implemented on the Internet, it took all of two months for the first major security holes to open up and be recognized by the hacking community. To understand how frames were used to present a security hole is to first understand frames themselves.

The way a web page renders frames is as follows:

  1. A page with instructions for the frames to be rendered is loaded.
  2. The addresses and particulars of how the frames will be rendered such as border properties and the placement of the frames themselves is given to the browser.
  3. The documents that will be used to display the content of the frames are then loaded into the given frames.
  4. The page is then rendered (displayed) to the browser window.

Within this procedure is the ability to load and execute web pages from other servers on other domains. The JavaScript variables from one domain are available for examination and modification to the web pages from the other domains that are used within the other frames that make up the page. The first strategy to combat this problem was the Same Origin Policy, which was taken up by Netscape Navigator, Internet Explorer, and Opera.

The Same Origin Policy: Security the Internet Explorer Way

The Same Origin Policy prevents JavaScript code that was sent from one server to access the properties of a document sent from another server, another port, or another protocol and return that information to the original server. The Same Origin Policy does not affect all elements of an HTML document, but rather the key JavaScript elements that a functioning script within an HTML document cannot be executed without. The elements that are enforced by the Same Origin Policy that must pass an origin inspection are as follows:

  • document: The reading and writing of the anchors, applets, cookies, domains, elements, embeds, forms, lastModified, length, referrer, title, and URL methods and properties. Also verified is each instance of a form element, and all Java CLASSes available to a JavaScript function via LiveConnect.
  • image: The lowsrc and src properties.
  • layer: The src property.
  • location: Every property available to location except location.x and location.y.
  • window: The find property.

You can see that most of the functionality of the common JavaScript script must use at least one of the properties and methods that must pass the origin inspection, making it next to impossible to maliciously alter or access the scripted functions of a framed window.

Occasionally, you may have a need to go against the Same Origin Policy to achieve the desired result from your web application. An exception has been made to address this possibility. To access the information within a page created and displayed within one of the page frames, you would use the "document.domain" statement to list a domain that is trusted by the web application and thus the browser. For example, for a page that originated at http://developer.walkthegeek.com to access variables and scripted entities from a page that originated at http://www.walkthegeek.com, you would use the following statement within your function:

document.domain = "walkthegeek.com";

Setting the document.domain property in this way tells the browser to trust all content from the domain www.walkthegeek.com as well as all subdomains of walkthegeek.com, such as the aforementioned developer.walkthegeek.com.

Data Tainting: Security the Netscape Way

When it was seen that more security was needed to protect Internet users, Netscape initiated a new type of security that was more powerful than anything previous: Data Tainting. Data Tainting is a combination of the Same Origin Policy and a setting on the client (user's) computer. It works in much the same way. It controls the right to trust another domain and access JavaScript variables and objects from a page served from a different server, and can be turned on and off at will. Basically, if Data Tainting is turned off, a message window will pop up saying that accessing JavaScript entities on pages from another domain is not allowed.

Because the Data Tainting is part of your operating system, it cannot be turned on and off through the browser. Examine the following list that states how to enable Data Tainting in the various operating systems. It's really quite easy to do.

  • Windows - NS_ENABLE_TAINT=1: Place the statement given in the autoexec.bat file for Windows 3.1X, 95, 98, and NT. For Windows NT, you also may set data tainting as a User Environment variable.
  • UNIX - NS_ENABLE_TAINT=1: This one depends on which UNIX shell you are operating with. Basically, you would set an environment variable through the use of the set env or env commands.
  • Macintosh: You would remove the two forward slashes before the NS_ENABLE_TAINT statement, which can be found by editing the resource of type envi and number 128 in the Navigator application itself. The NS_ENABLE_TAINT statement should be near the end of the document.
  • OS/2 - NS_ENABLE_TAINT=1: Set the given statement in the config.sys file in the root of your startup drive.

Page 1 of 2

This article was originally published on January 16, 2009

Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date