November 2001
Intermediate to advanced
936 pages
68h 43m
English
Content preview from JavaScript: The Definitive Guide, Fourth EditionBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Restricted Features
As I’ve already
mentioned, the first line of defense against malicious scripts in
client-side JavaScript is that the language simply omits certain
capabilities. The second line of defense is that JavaScript imposes
restrictions on certain features that it does support. For example,
client-side JavaScript supports a
close( ) method for the
Window object, but most (hopefully all) web-browser implementations
restrict this method so that a script can close only a window that
was opened by a script from the same web server. In particular, a
script cannot close a window that the user opened; if it tries to do
so, the user is presented with a confirmation box asking if he really
wants to close the window.
The most important of these security restrictions is known as the same-origin policy and is described in the next section. The following is a list of the other security restrictions found in most implementations of client-side JavaScript. This is not a definitive list. Each browser may have a slightly different set of restrictions, and the proprietary features of each browser may well have proprietary security restrictions to go along with them.
The History object was originally designed as an array of URLs that represented the complete browsing history of the browser. Once the privacy implications of this became apparent, however, all access to the actual URLs was restricted, and the History object was left with only its
back( ),forward( ), andgo( )methods ...