Client-side JavaScript
normal event handlers have the option of preventing the
event from propagating any further, although the way
this is done is different in each model.
Event handler registration
In the W3C event model, event handlers are not simply
assigned to properties of document objects. Instead, each
document object has an
addEventListener() method that
you call to register an event handler function for a named
type of event. This allows advanced applications to regis-
ter more than one handler for the same event type.
JavaScript Security Restrictions
For security reasons, client-side JavaScript implementations
typically impose restrictions on the tasks that scripts can per-
form. The most obvious restrictions are omissions of danger-
ous capabilities: there is no way for client-side JavaScript to
delete files on a user’s local hard disk, for example. Other
restrictions exist to prevent the disclosure of private informa-
tion or to keep scripts from annoying users. There is no stan-
dard set of security restrictions, but the following are
restrictions found in typical browser implementations. Don’t
attempt to write scripts that do these things: even if they
work for your browser, they probably won’t work in others.
Same origin policy
Scripts can only read properties of windows and docu-
ments that were loaded from the same web server. This is
a substantial and pervasive restriction on cross-window
scripting, and prevents scripts from reading information
from other unrelated documents that the user is viewing.
This restriction also prevents scripts from registering event
handlers or spoofing events on unrelated documents.
File uploads
Scripts cannot set the
value property of the FileUpload
form element.

Get JavaScript Pocket Reference now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.