Javascript vs. JavaScript...

rmrucker · Post by **rmrucker** » Wed Aug 28, 2002 1:16 am

OK, just another ignorant question from me...

How does IE limit the functionality of JavaScript embedded in a web page?

If I can write JavaScript on my computer and have it modify my registry, why can't I do the same with JavaScript in HTML? The basic answer, I guess, is 'security permissions'. But how exactly does that work?? What actually keeps embedded JavaScript from doing what non-embedded JavaScript can do? If I have "Active Scripting" enable on web pages, doesn't that give script free range? Why not?

Thank you.

TonyT · Post by **TonyT** » Wed Aug 28, 2002 8:21 pm

Javascript running "in" a webpage is much different than javascript running on the local OS. Scripts that are embedded in an HTML doc run inside what is known as a "virtual sandbox". This sandbox is an arbitrary name given to the "zone" or security permissions of the usre's browser.

Active Scripting enabled allows scripts to be run in IE. This can further be modified by the security setting for each Security Zone in IE. (Internet Options\Security Tab\Custom Settings.

Running scripts of any kind on the local machine is not affected by IE settings. Any script can be run at anytime, unless there are restrictions placed on the machine. (policies in a NT based network)

rmrucker · Post by **rmrucker** » Thu Aug 29, 2002 1:01 am

How exactly is that 'sandbox' constructed? What keeps javascript in a web page from accessing a user's file or the user's registry?

Are the 'evils' of HTML and JavaScript completely limited to vulnerabilties? That would seem likely -- the sandbox is maintained unless there is a leak.

TonyT · Post by **TonyT** » Thu Aug 29, 2002 9:07 pm

Well, the sandbox applies more to java than javascript, but the basic concept is the same, the browser security settings control what can and cannot be run from a webpage.