I am looking for the official javascript security specification for web
browsers. EMCAScript and DOM spec does not seem to contain a section on
security, so I assume none exists and the security policies are
implemented as the vendor pleases. If so, do security specs for IE and
Mozilla exist?
When it comes to IE6, especially on the XP OS, you have a large number
of possible security selections for both script and ActiveX, and there
are advanced options to allow you to select or deselect various
security measures. Moreover the frequent Microsoft updates often
involve security concerning script or ActiveX. Thus the security specs
in effect are a moving target depending on choices Microsoft offers the
user and some measures for which there is no choice. To a certain
extend, Mozilla does the same, but not nearly as much as Microsoft.
Since security problems can be caused by a combination of script, html,
and various other things, one often has to consider a security problem
as a whole. For example, a nasty bug based on script might open a
certain port. Then another bug on the web, that may or may not have
anything to do with script, may be able to get in and set up
housekeeping - such as using your computer as a mailer for spam. The
hackers are now writing much more complex code than just a few years
ago, and it can use multi steps and a zoo of different code types.
