Current Issues with JavaScript

Abstract

Wilton(2000) explained that one important fact about JavaScript is that it is an interpreted language rather than a compiled language. With this specific feature in JavaScript, the language needs interpreter to convert the code for any computer to understand. Browser carries internally a special program “Interpreter” which converts the JavaScript to the machine code that any computer can understand. Some important facts about such process are:

 

  • The conversion of the JavaScript code happens at the time the code is running on the client-side i.e. when the web page requested is downloaded to the browser.
  • The conversion happens every time the code downloaded to the browser.
  • Most of the browser comes equipped with JavaScript interpreter.

Wilton(2000) also explained that the main reason of choosing JavaScript in web programming is the widespread of such scripting language among many browsers such as Internet Explorer, Netscape Navigator, and Firefox browser. Another scripting language that can be used in web development is VBScript. However, VBScript is only supported by Internet Explorer. Some of the most common use of JavaScript is:

 

  • Interacting with users on the web sites.
  • Getting information from the end-users.
  • Validating the information on the client-side, and executing some actions accordingly.

The browser can execute the scripting code by inserting the JavaScript code in a web page between <Script> and </Script> tags within a script block in HTML content.

Current Issues with JavaScript

Wootton (2001) explained that dominant browsers such as Internet Explorer and Netscape Navigator have been competing with one another by adding more features. Such features forced the architecture of these browsers to go in different directions. Such differences among browsers created difficulties to maintain compatibility with different scripting language, and also maintain portability i.e. a code that can run fine under one browser; may or may not run with the same behaviour under different browser. Also, due to such differences in the browser architecture, the same code has to be written in two different ways to guarantee compatibility once the browser is identified.

The standard implementation of JavaScript is used to maintain compatibility and such standard is divided into three areas:

 

  • The core language – contains the fundamentals that comply with the ECAScript standard.
  • The client-side – offers the ability of the language to manipulate the page’s Document Object Model (DOM) and the various browsers object models.
  • The Server-side extensions – allows to write a standalone components that can communicate with the web server by using server-side objects such asADO, ADO.Net and CGI.

One key difference between client-side and server-side scripts; is in how they run. While the client-side JavaScript is interpreted on the fly by the browser, the server-side JavaScript is compiled first into byte code (Wootton, 2001).

Security Issues with JavaScript

Deitel and Deitel (2008) stated that one of the security issues with JavaScript is for any browser to be able run the JavaScript code, some changes to the browser’s security settings has to be applied. For example, by default Internet Explorer prevents scripts from running, and users have to change such settings in the security section within the Internet options settings.

Powell and Schneider (2004) explained that when user download unknown program from the web; running such program on the user’s computer can represent a security risk, and can work as a backdoor into the system to return information to the program author about such computer (Spyware program concept). The same risk can be applied by running a JavaScript code on the browser and by inviting code written in JavaScript to be running on any computer by unknown party. For the above reason browsers implement a security policy which is a set of rules that can govern what the script can do, and under what circumstances.

Also, JavaScript and browser implement a security model where the downloaded scripts can run in restricted environment. Such restriction will allow the script to access only the data in the current document; and no access is permitted to the local file system, operating system, network layers, or the memory space of other running program. Such rules prevent malicious scripts from exposing the user’s environment to any risk. Some exceptions to the above rules are made when the script comes from a trusted source, and yet explicit consent of the user will be required in such case. Other security policy implemented by JavaScript to prevent a script load from one web site to change the properties setting of other document from other web site (Powell and Schneider, 2004).

Woychowsky (2003) stated that with the security concerns surrounding the JavaScript many of these issues were addressed and resolved. One of the important parts of JavaScript security implemented is eliminating any object to be included in the language that can execute any command via the client’s operating system, access to the client’s files, and question the client’s network connections. Other restricted features existing in the JavaScript that can reduce any security risk are: uploading files, accessing the browser’s history collection, submitting files, mailing, and altering menu bars. Other policies implemented by the JavaScript are:

  • Read and alter only the document that contains the script.
  • If the script is using port 80 and the protocol is HTTP, it’s not allowed for such script to switch to port 21 and FTP (Prevent the data theft).
  • Preventing collecting the browser’s cookie collection.
  • The JavaScript can’t have access to the client’s hard drive, or changing the contents of the physical file exist in the hard drive.

Vaughan(2007) stated that the developers are hesitated to use the JavaScript because of the security issues. Even with improving of such scripting tool with the invention of the Asynchronous JavaScript and XML (AJAX); the security problems can be aggravated if such tools are not handled properly. For the above reason many policies and security models were developed to improve security, and prevent web developers from making mistakes that can lead to security breaches to their web site.

Conclusion

JavaScript is the most popular client-based web scripting language because it’s supported by many browsers. JavaScript is composed of statements that when executed, they perform a desired function. Browsers can interpret and execute JavaScript statements. These statements can be found within a web page. Security model were implemented within the browser, and the JavaScript to prevent the scripting code, from accessing different resources within any computer such as hard drive, file systems, operating system commands, or network layers.

Finally, in implementing a scripting code within any web page, developer has to recognize the compatibility and the portability issues that might change from one browser to another.

References

Deitel, P. & Deitel H. (2008) Internet & World Wide Web: How to Program. 4th ed.New Jersey: Pearson Prentice Hall.

Powell, T. & Schneider, F. (2004) JavaScript Security [Online]. Available from: http://www.devarticles.com/c/a/JavaScript/JavaScript-Security/ (Accessed: 19 February 2010).

Vaughan, J. (2007) JavaScript mashups raise application security issues; require caution [Online]. Available from: http://searchsoftwarequality.techtarget.com/news/article/0,289142,sid92_gci1280688,00.html (Accessed: 19 February 2010).

Wilton, P. (2000) Beginning JavaScript. 2nd ed.Birmingham: Wrox Press.

Wootton, C. (2001) JavaScript Programmer’s Reference. 2nd ed.Birmingham: Wrox Press.

Woychowsky, E. (2003) JavaScript Security is making strides [Online]. Available from: http://articles.techrepublic.com.com/5100-10878_11-5034711.html (Accessed: 19 February 2010).

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: