Java vs JavaScript

Discussion in 'Java' started by Roedy Green, Apr 23, 2014.

  1. Roedy Green

    Joerg Meier Guest

    On Fri, 02 May 2014 10:20:25 -0700, Gene Wirchenko wrote:

    > Well, if you hover on the link, Firefox, at least, will display
    > the link as being according to the href= phrase, but the actual
    > destination will be according to the onclick= phrase.


    If you don't hover, the href link might differ from the text link: <a
    href="http://www.evil.org">www.google.com</a>. Have I now conclusively
    proven that HTML has a giant, gaping security hole ?

    If Firefox display and execution differ, then that seems to be a Firefox
    issue. Neither HTML nor JavaScript somehow require Firefox to display the
    href content instead of the onclick content and then execute the onclick
    content instead of the href content. This disparity seems to be squarely at
    the feet of whoever maintains that particular behaviour.

    Liebe Gruesse,
    Joerg

    --
    Ich lese meine Emails nicht, replies to Email bleiben also leider
    ungelesen.
     
    Joerg Meier, May 2, 2014
    #21
    1. Advertisements

  2. On 5/4/2014 4:38 AM, Chris Uppal wrote:
    > Security is about the person using the browser, not the browser itself, nor the
    > page that the browser is displaying. /They/ aren't going to loose money, get
    > infected, be advertised at unwantedly, whatever... The person is -- or may be.
    > If the whole settup (Java/Flash/JavaScript/HTML/etc) is such that an actual
    > user is mislead, then that is security failure, and then it's just a matter of
    > finger-pointing as to which part of the system takes how much blame.


    I prefer to draw a distinction between "attacks" that rely on confusing
    the user to direct them to a fake site (I'll call this phishing for lack
    of a better name) and attacks that actively harm you (more traditional
    security exploits). To some degree, phishing attacks are unavoidable due
    to stupid users, and you can make a case that many would be better
    handled not by informing the user of the malicious page switch
    beforehand but rather by indicating that the target of the link is not
    what the link claimed it was. Although success in the latter arena isn't
    great, either.

    > I expect I'll be able to make the same claim about HTNL5 soon, if I can't
    > already.


    One point of pedantry I want to bring up: JavaScript the language is not
    the same as the set of JavaScript libraries used in web programming
    (often known as DOM). The set of new additions to this repertoire over
    the past several years has fallen under the terminology of "HTML5"
    (although I know many web engine developers who dislike that term).

    > HTML has problems. JavaScript makes it easier to exploit those problems, and
    > adds new ones of its own. Java, FLash, and any other pluggin can be expected
    > to add yet more problems -- it's inherent in the nature of a plugin (by which I
    > mean exernal compiled code) that it may open too many doors (NACL aside,
    > perhaps).


    The source of vulnerabilities is often in libraries, not languages; most
    of the security problems in Java that I can think up are not in the core
    VM but rather in the expansive set of libraries that make up the
    standard library. Similarly, JS's core language isn't the source of most
    problems but rather the DOM. In a similar vein, Flash and NaCl have
    problems simply because they allow access to rather less well-secured
    libraries.

    The only way you could get rid of these vulnerabilities would be to
    freeze the allowed access and the implementation except for bug and
    security fixes and then wait for 20 years (think TeX). And that's not
    going to happen.

    --
    Beware of bugs in the above code; I have only proved it correct, not
    tried it. -- Donald E. Knuth
     
    Joshua Cranmer ðŸ§, May 5, 2014
    #22
    1. Advertisements

  3. Roedy Green

    Tim Slattery Guest

    Joshua Cranmer ? <> wrote:


    >One point of pedantry I want to bring up: JavaScript the language is not
    >the same as the set of JavaScript libraries used in web programming
    >(often known as DOM).


    The DOM (Document Object Model) is NOT a set of Javascript libraries.
    It's the way the browser makes the currently loaded document (usually
    an HTML page) available to the Javascript routines.

    >The set of new additions to this repertoire over
    >the past several years has fallen under the terminology of "HTML5"
    >(although I know many web engine developers who dislike that term).


    HTML5 encompasses a number of things, see http://diveintohtml5.info
    for a look at the whole thing. It's not more JS libraries. There are
    certainly more JS commands and abilities to take advantage of the new
    features in HTML5.

    --
    Tim Slattery
    tim <at> risingdove <dot> com
     
    Tim Slattery, May 6, 2014
    #23
  4. On 5/6/2014 12:06 PM, Tim Slattery wrote:
    >> One point of pedantry I want to bring up: JavaScript the language is not
    >> the same as the set of JavaScript libraries used in web programming
    >> (often known as DOM).

    >
    > The DOM (Document Object Model) is NOT a set of Javascript libraries.
    > It's the way the browser makes the currently loaded document (usually
    > an HTML page) available to the Javascript routines.


    The DOM is not part of the core JavaScript language. Ergo, it's a
    library as far as JavaScript is concerned. It certainly includes more
    than the reflection of the document to JS; DOM promises is an example
    (although it has since moved from a DOM feature to a core JS feature).

    >> The set of new additions to this repertoire over
    >> the past several years has fallen under the terminology of "HTML5"
    >> (although I know many web engine developers who dislike that term).

    >
    > HTML5 encompasses a number of things, see http://diveintohtml5.info
    > for a look at the whole thing. It's not more JS libraries. There are
    > certainly more JS commands and abilities to take advantage of the new
    > features in HTML5.


    When most people talk excitedly about HTML5, they often refer not to the
    additions to the declarative syntax of HTML but rather to the APIs like
    Geolocation, IndexedDB, WebWorker, etc. that are basically all JS
    library work. The document you linked to is quite guilty of this: only 4
    of its 11 chapters actually discuss HTML features. Whatever the original
    intent of the terminology, it has become a catchall term in common
    parlance for "everything added to the web platform since the demise of
    Netscape."


    --
    Beware of bugs in the above code; I have only proved it correct, not
    tried it. -- Donald E. Knuth
     
    Joshua Cranmer ðŸ§, May 6, 2014
    #24
  5. Roedy Green

    Ray Osborne Guest

    Interesting and meaningful thread of posts. I will cross-post this to my group
    at https://groups.google.com/forum/#!forum/a1a-javajobs

    On Wednesday, April 23, 2014 11:39:52 AM UTC-4, Roedy Green wrote:
    > There is something odd going on.
    >
    >
    >
    > I have always thought the Java sandbox was so restrictive, there was
    >
    > nothing a user need worry about. There is no way an unsigned applet
    >
    > could do any damage.
    >
    >
    >
    > But Oracle and the browsers are acting like unsigned Applets are
    >
    > highly dangerous, making you do override after override to run them.
    >
    >
    >
    > On the other hand I don't think JavaScript has any sort of sandbox at
    >
    > all, and everyone blissfully runs scripts that can do anything.
    >
    >
    >
    > Why the double standard? Is JavaScript safer than I thought?
    >
    > --
    >
    > Roedy Green Canadian Mind Products http://mindprod.com
    >
    > "Don't worry about people stealing an idea; if it's original, you'll
    >
    > have to shove it down their throats."
    >
    > ~ Howard Aiken (born: 1900-03-08 died: 1973-03-14 at age: 73)
     
    Ray Osborne, May 22, 2014
    #25
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Kintner
    Replies:
    0
    Views:
    1,098
    Michael Kintner
    Nov 30, 2003
  2. Ilias Lazaridis
    Replies:
    0
    Views:
    910
    Ilias Lazaridis
    Feb 1, 2005
  3. mcdeveloper
    Replies:
    1
    Views:
    4,676
    mcdeveloper
    Jun 13, 2006
  4. CRON
    Replies:
    25
    Views:
    222,561
    davidb
    May 29, 2015
  5. Mark Rae

    JavaScript or not JavaScript

    Mark Rae, Sep 5, 2006, in forum: ASP .Net
    Replies:
    36
    Views:
    1,552
    Paul Sture
    Sep 9, 2006
  6. Nathan Sokalski
    Replies:
    4
    Views:
    921
    PJ on Development
    Nov 8, 2007
  7. manish sahu
    Replies:
    3
    Views:
    1,341
  8. Isaac
    Replies:
    0
    Views:
    625
    Isaac
    Jan 20, 2011
Loading...