Java vs JavaScript

Discussion in 'Java' started by Roedy Green, Apr 23, 2014.

  1. Roedy Green

    Joerg Meier Guest

    If you don't hover, the href link might differ from the text link: <a
    href="http://www.evil.org">www.google.com</a>. Have I now conclusively
    proven that HTML has a giant, gaping security hole ?

    If Firefox display and execution differ, then that seems to be a Firefox
    issue. Neither HTML nor JavaScript somehow require Firefox to display the
    href content instead of the onclick content and then execute the onclick
    content instead of the href content. This disparity seems to be squarely at
    the feet of whoever maintains that particular behaviour.

    Liebe Gruesse,
    Joerg
     
    Joerg Meier, May 2, 2014
    #21
    1. Advertisements

  2. I prefer to draw a distinction between "attacks" that rely on confusing
    the user to direct them to a fake site (I'll call this phishing for lack
    of a better name) and attacks that actively harm you (more traditional
    security exploits). To some degree, phishing attacks are unavoidable due
    to stupid users, and you can make a case that many would be better
    handled not by informing the user of the malicious page switch
    beforehand but rather by indicating that the target of the link is not
    what the link claimed it was. Although success in the latter arena isn't
    great, either.
    One point of pedantry I want to bring up: JavaScript the language is not
    the same as the set of JavaScript libraries used in web programming
    (often known as DOM). The set of new additions to this repertoire over
    the past several years has fallen under the terminology of "HTML5"
    (although I know many web engine developers who dislike that term).
    The source of vulnerabilities is often in libraries, not languages; most
    of the security problems in Java that I can think up are not in the core
    VM but rather in the expansive set of libraries that make up the
    standard library. Similarly, JS's core language isn't the source of most
    problems but rather the DOM. In a similar vein, Flash and NaCl have
    problems simply because they allow access to rather less well-secured
    libraries.

    The only way you could get rid of these vulnerabilities would be to
    freeze the allowed access and the implementation except for bug and
    security fixes and then wait for 20 years (think TeX). And that's not
    going to happen.
     
    Joshua Cranmer ðŸ§, May 5, 2014
    #22
    1. Advertisements

  3. Roedy Green

    Tim Slattery Guest

    The DOM (Document Object Model) is NOT a set of Javascript libraries.
    It's the way the browser makes the currently loaded document (usually
    an HTML page) available to the Javascript routines.
    HTML5 encompasses a number of things, see http://diveintohtml5.info
    for a look at the whole thing. It's not more JS libraries. There are
    certainly more JS commands and abilities to take advantage of the new
    features in HTML5.
     
    Tim Slattery, May 6, 2014
    #23
  4. The DOM is not part of the core JavaScript language. Ergo, it's a
    library as far as JavaScript is concerned. It certainly includes more
    than the reflection of the document to JS; DOM promises is an example
    (although it has since moved from a DOM feature to a core JS feature).
    When most people talk excitedly about HTML5, they often refer not to the
    additions to the declarative syntax of HTML but rather to the APIs like
    Geolocation, IndexedDB, WebWorker, etc. that are basically all JS
    library work. The document you linked to is quite guilty of this: only 4
    of its 11 chapters actually discuss HTML features. Whatever the original
    intent of the terminology, it has become a catchall term in common
    parlance for "everything added to the web platform since the demise of
    Netscape."
     
    Joshua Cranmer ðŸ§, May 6, 2014
    #24
  5. Roedy Green

    Ray Osborne Guest

    Ray Osborne, May 22, 2014
    #25
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.