Privacy for Browser Users

For users of JavaScript enabled browsers, requesting a URL represents a risk if it contains JavaScript. Without security hobbles, JavaScript could seize control of the browser, or possibly the browser's computer. The simplest form of privacy for the user is to turn JavaScript support off in the browser via the browser preferences. This can't be done from within a JavaScript script, except via the navigator.preference property in Netscape Navigator 4.0, and even then the browser must be shut down and re-started for it to take effect.

A number of JavaScript bugs that create security risks have been identified in version 3.0 and 4.0 browsers. To avoid as many of these as possible, make sure you have the latest version of the browser available. For example, at this time of writing Netscape Navigator 4.04 is the latest, not 4.02 or 4.01. This Web page: http://www-genome.wi.mit.edu/WWW/faqs/wwwsf?/html is a good starting point for JavaScript security bug information.

There are several kinds of security hobbles that protect the browser user's privacy.

I/O restrictions

It is nearly always true that client-side JavaScript is restrained from doing any input or output without the user's permission. Generally, the user can be confident that no changes are occurring to the local computer outside of the browser, but there are exceptions. Writing to files, to network connections, and to the display are the main sources of risk. Of these, display-related restrictions are discussed further on. The file and network cases are generally impossible, except for the following possibilities.

Local scripts

If a browser loads a script directly from the local computer without using a web server, then that script can do anything the language and host objects allow. The user may get a warning and an option to back out, depending on how the browser's security preferences are set up. Internet Explorer 3.0 with JScript 2.0 (and later versions) allows script writers to read, write and create any file on the browser's computer using JavaScript facilities directly. This is achieved with the JavaScript FileSystemObject and TextStream objects.

JScript 3.0 adds the File and Folder objects which allow local files to be removed or renamed as well as created or changed, but this is only possible for Internet Explorer 4.0, and browser security options must be lowered by the user as well.

Netscape JavaScript can also write to local files, but there is no direct support in the language. Instead, Java objects supply this functionality; those objects must be accessed via LiveConnect. Here is an example of writing a user-supplied string to a user-supplied filename. See the Chapter 8 to understand the mechanics at work here:

<HTML><BODY><SCRIPT>
function save_it(filename, filedata);
{
    netscape.security.PrivilegeManager.enablePrivilege("UniversalFileWrite");
    var jo_file   = new java.io.FileOutputStream(filename);
    var jo_stream = new java.io.DataOutputStream(jo_file);
    jo_stream.writeChars(filedata);
    jo_stream.close();
    netscape.security.PrivilegeManager.disablePrivilege("UniversalFileWrite");
}
</SCRIPT>
<FORM>
File Name: <INPUT TYPE="text" NAME="file"><BR>
File Data: <INPUT TYPE="text" NAME="data"
                  ONCHANGE="save_it(this.form.file.value, this.value)">
</FORM></BODY></HTML>

This example also requires some agreement from the user before it can go ahead. See the Security section.

Java connections

A browser that supports Java applets can make network connections. With ActiveX or LiveConnect, JavaScript scripts can control these applet connections. Chapter 8 describes how.

However, without a security agreement, the connections are limited. Java applets are downloaded via a URL in an <APPLET> or <OBJECT> HTML tag. Only the computer supplying the page for that URL can be connected to. If the tag includes a CODEBASE URL, then the computer at that codebase URL is the only possibility for connections.

A more subtle possibility stems from the fact that one Java applet may converse directly with another. However, the part of the Java system that loads applets also ensures that applets from different sites can't communicate. This prevents one applet from exploiting the network connections available to another.

Cookies

Cookies are described in a later section of this chapter. The cookie data available to web servers doesn't include any very private information such as the user's name, so risk from cookies is minimal. Long-lived cookies are stored in a file on the browser's computer. However, this file is a plain data file with a maximum size of approximately 1200 Kilobytes for Netscape. Other than taking up space, this file doesn't do anything outside the browser environment. A cookie file will normally be only one or two Kilobytes.

Netscape Mission Control

The netscape.cfg file of Netscape 4.0 browsers can be configured to give away control of the user's preferences. A JavaScript script stored elsewhere under someone else's control assumes the task. In a company environment, this usually poses no privacy risks.

Window limitations

The main form of output from client-side JavaScript is not to files and network connections, but to the browser itself. JavaScript can affect windows in a browser in three ways:

Write new content to browser windows.
Change window decorations such as toolbars and menus.
Modify JavaScript host objects and variables within windows.

The user can have more than one browser window open at a time. The user can also have more than one URL per window if frames are present, and those URLs can come from different web sites. If it were not for a number of security hobbles, JavaScript could use its control over windows to:

Forge or manipulate content displayed from other web sites, misrepresenting it.
Make the browser uncontrollable by the user.
Wreck the JavaScript data and objects stored in windows displaying other web sites.

Two concepts are central to the window security features that prevent these things from happening.

Every Window is an Island

To understand window security restrictions, first take a step back and reflect on the ECMAScript standard.

In ECMAScript terminology, an 'execution environment' is a stage on which scripts can perform (execute), whether they are standalone or client-side scripts. When an execution environment is created, such as in a browser, a good question is: what is the current object? The standard states that all built-in objects and built-in functions in a script are part of a special 'global' object, which is the current scope when that script starts executing. Even functions like parseInt() can therefore be viewed as a method of an object.

However, there is not just one 'global' object in a JavaScript-capable web browser. Instead, the browser has a 'global' object for each browser window currently open. These global objects each have a property 'window' which refers back to that global object. These window properties provide a named hook so that the script writer can get access to that global object.

Each global object is like a bucket in which all the data specific to the window can be stored, making it easy to access. Therefore, the 'window' property sits at the top of a hierarchy (or a pool) of data that includes all the JavaScript variables, objects and host objects in that window. If the window is closed, everything owned directly or indirectly by the global object is tracked down and cleaned up.

This makes each window fully self-contained and independent. It makes it easy to keep scripts from interfering with other windows, since they can only ultimately belong to one global object. Viewed from the JavaScript perspective, the browser is not a single hierarchy or pool of properties and objects, it is a number of them.

Unfortunately, life is rarely that simple. In reality, one window will often contain JavaScript variables that refer to objects or properties in other windows. A simple example is the window.open() method—the return value can be stored in a variable in the containing window but refers to the global object in the newly created window. Similarly, the newly created window's global object has an 'opener' property referring back to the old window.

At the time of writing this, the ECMAScript standard doesn't specify how the communicating-between-globals system works. The answer for browsers is LiveConnect or ActiveX glue software. This glue is effectively invisible except when window ownership issues are important. The owner of a window is the host address of the window's main URL, for example 'www.this.com:80'. Attempts to work with properties or methods in a different window first have to pass checks based on the owners of the two windows. This script can be used to show the dynamic behavior involved:

<HTML><BODY><SCRIPT>
var win2 = null;

function open_local() { top.win2=window.open(window.location.href,'test'); }

function open_remote() { top.win2=window.open('http://www.wrox.com','test'); }

function show_it()
{
  window.document.forms[0].one.value = top.win2;
  window.document.forms[0].two.value = top.win2.name;
  window.document.forms[0].three.value = top.win2.location.href;
}
</SCRIPT><FORM>
<INPUT TYPE="button" VALUE="Open local window" ONCLICK="open_local()">
<INPUT TYPE="button" VALUE="Open remote window" ONCLICK="open_remote()">
<INPUT TYPE="button" VALUE="Show window details" ONCLICK="show_it()">
<INPUT TYPE="button" VALUE="Go backwards" ONCLICK="window.history.go(-1)">
<BR>
Type of win2: <INPUT NAME="one" TYPE="text"><BR>
Name of win2: <INPUT NAME="two" TYPE="text"><BR>
URL  of win2: <INPUT NAME="three" TYPE="text"><BR>
</FORM></BODY></HTML>

When displayed, the document looks like this:

This HTML page has three purposes:

Create a second window with a URL that is either at the same web site as the main window, or at a different one.
Display some state information about the second window.
Provide content for the second window when the URL for that window is at the same web site.

The 'Show window details' button is used to report the current state of the auto-created window.

The following discussion pertains to Netscape behavior. Before pressing either of the open buttons, reporting the current state produces an error because the second window is not open and therefore 'win2' is not yet an object. If a local window is opened, the name and URL will display correctly. If a remote window is opened, then an error results trying to get its URL (assuming you don't own the Wrox Web site). If you navigate with that new window back to a local web page, either via the 'Open local window' button or directly using the window toolbars, the URL is accessible again.

When the window is off-limits, Netscape's error is:

"Access disallowed from scripts at http://mysite/tests/remote_test.htm to documents in another domain".

This message assumes that the mysite site is where you are doing the testing.

If the second window is closed, a number of obscure errors can occur, depending on the version and whether Java is enabled or not. It is better not to examine a closed window object, except to test if the window IS closed by looking at the boolean value window.closed.

If this script is run with Internet Explorer 3.0 and Jscript 1.0, none of the second window's properties are accessible, including window.closed. This shows that JavaScript inter-window access is not a requirement for all browser tasks.

Every Window is Free

Without security arrangements granting the script writer special privileges, some browser features can't be removed from the user's control. These are:

Existing windows can't have toolbars or other window decorations removed or added.
Documents from other sites loaded into frames can't have their events stolen by the frameset
Windows can't be created so small that the user can't read the contents.
Windows can't permanently obscure other windows, or grab the user's input focus and keep it.

The Reference Section describes which methods require special privileges before they can be used. In particular, 'canvas' or 'kiosk' mode, in which a single window takes over the whole screen, requires special privileges for Netscape 4.0 browsers. For these browsers, the user can drop the above restrictions on scripts by changing their browser preferences as described in the 'Privacy For Scriptwriters' section.

Resource limiting features

Browsers are designed to limit the user to a fraction of the resources of the browser's computer:

Disk space. Pages loaded from a given web server can't consume more than 80 Kilobytes of space in a Netscape browser's cookie file—more than that can be consumed with Internet Explorer. Creating new JavaScript Image objects, or writing new HTML pages is still subject to the caching restrictions that the browser user puts in place when setting the browser's preferences. If the user has all caching turned off, Images or pages won't be cached if they aren't part of a currently displayed window.
Memory. Internet Explorer 4.0 allows the user to place an upper limit on the amount of memory that a newly downloaded ActiveX control can consume. Otherwise, browsers can still consume large amounts of memory. The video memory used for graphics and windows is easy for most browsers to consume, especially if there are many windows, frames and images displayed.

Such memory protection systems aren't foolproof. Even for normal memory and non-ActiveX controls, this script fragment will bring most browsers quickly to their knees (don't try this unless you're willing to re-boot):

<HTML><BODY><SCRIPT>
var big_string = "double me up!";

while (true)
{
    big_string = big_string + big_string;   // 20 iterations equals all your memory...
}
</SCRIPT></BODY></HTML>

Memory limitations also apply to Java applets in Netscape Navigator. Sometimes these applets are 'cleaned up' to save memory, which can also impact JavaScript. See Chapter 8 for further details.

Network Connections. JavaScript scripts might open many windows, but the maximum number of connections set by the user via preferences will still be observed. Any additional windows will have to wait for a free connection.
CPU. Netscape browsers and Internet Explorer 4.0 will abort any JavaScript script that executes more than one million "instructions" (a vague term used by the vendors, probably meaning one JavaScript statement) before finishing. This is designed to prevent scripts from locking the user out of the browser permanently, not to prevent the browser from consuming large amounts of CPU time. This feature can be annoying if you are trying to do long, complex calculations with the interpreter. The user still has access to window menus and toolbars. There is also a workaround: break the task into steps and only run one step at a time. Here is a before-and after example:

<HTML><BODY><SCRIPT>
var total = 234;
var new_items = 2555666;
function dumb_add()   // addition for people with only one finger
{
  while (new_items)   // won't complete: 2,555,666 iterations > 1,000,000
  {
    new_items--;
    total++;
  }
}
dumb_add();
alert('New total is: '+total);
</SCRIPT></BODY></HTML>

In the workaround case below, the browser will still be busy 99% of the time, but because the executing script breaks off regularly for a millisecond, the browser is satisfied that the user still has a chance to do things. The browser will therefore be able to respond to user input, but only slowly, especially if that input means other scripts need to run. At the same time, the long-running script will be able to eventually complete all its processing.

<HTML><BODY><SCRIPT>
var total = 234;
var new_items = 2555666;

function dumb_add()   // Do addition for people with only one finger
{
    var steps = 10000;   // don't run for too long
    while (new_items && steps)
    {
    steps--;
    new_items--;
    total++;
    }
    if ( new_items )
   setTimeout('dumb_add()',1);
    else
      alert('New total is: '+total);
}
dumb_add();
</SCRIPT></BODY></HTML>

Other risks

There are other risks for the user when using a browser on the Internet, but few of them involve JavaScript. A few do:

Submitting HTML forms. The user's name or email address cannot be obtained by a web site due to a form being submitted, unless the user has made special security arrangements. So submitting forms is generally safe for the user.
JavaScript cannot silently e-mail a user when the user browses to a web page. The user always gets the opportunity to confirm or cancel the submission.
The user can configure a helper application to run when a particular file type (MIME type) is fetched across the network. Configuring a standalone JavaScript interpreter to run when JavaScript files are received is a risky choice unless the interpreter has a security system of its own. This is because a downloaded standalone script will then automatically run, doing who-knows-what.
In modern browsers the user can release all of the restrictions in the browser that require a security agreement. To do this in Internet Explorer 4.0, in the Options dialog box, under security, set the minimum security level to None. In Netscape 4.0 browsers, shutdown all of the Netscape windows and modify by hand the prefs.js file. That file is stored in the Netscape installation area, there is one for each browser user. Add this line and restart the browser:

user_pref("signed.applets.codebase_principal_support", true);

This line means that every computer that supplies a script to the browser can be trusted to supply safe scripts. Obviously, this is not realistic and so this option is usually only used in test environments.