Web And Email Hosting, Discount Web Hosting, Subdomain, Vps Hosting, Cpanel, Programming Blog

1242 Part V . Putting JavaScript to Work plug-in, a Java applet, or a JavaScript script. Because of the signed script facilities, NN4+ was designed to allow scripts to have wider range of control over the browser s interior working parts, provided the user granted permission for such activity (more about this later in the chapter). NN3 included a partially implemented prototype of another policy known as data tainting. Signed scripts supersede data tainting, so if you encounter any writings about data tainting, you can ignore them because the technology is not being further developed. By and large, the same origin policy is in force inside IE3 and after. Precise details may not match up with NN one-for-one, but the most common features are identical. The signed script policy is implemented only in NN4+. While Microsoft offers digital signatures for some items that may be embedded within an HTML page (such as ActiveX controls and other components), scripts that are in an HTML page s source code or linked in as a .jslibrary cannot be signed for IE. While everything you read in this chapter about signed scripts applies only to NN4+, you should find the next couple of sections informative even if you develop solely for IE. The Same Origin Policy The origin of the same origin policy means the protocol and domain of a source document. If all of the source files currently loaded in the browser come from the same server and domain, scripts in any one part of the environment can poke around the other documents. Restrictions come into play when the script doing the poking and the document being poked come from different origins. The potential security and privacy breaches this kind of access can cause put this access out of bounds within the same origin policy. An origin is not the complete URL of a document. Consider the two popular URLs for Netscape s Web sites: http://home.netscape.com http://developer.netscape.com The protocol for both sites is http:. Both sites also share the same domain name: netscape.com. But the sites run on two different servers: home and developer (at least this is how the sites appear to browsers accessing them; the physical server arrangement may be quite different). If a frameset contains documents from the same server at netscape.com, and all frames are using the same protocol, then they have the same origin. Completely open and free access to information, such as locationobject properties, is avail able to scripts in any frame s document. But if one of those frames contains a docu ment from the other server, their origins don t match. A script in a document from one server would display an access disallowed or permission denied error mes sage if it tried to get the location property of that other document. A similar problem occurs if you were creating a Web-based shopping service that displays the product catalog in one window and displays the order form from a secure server in another window. The order form, whose protocol might be https:, would not be granted access to the location object properties in a catalog page whose protocol is http:, even though both share the same server and domain name.
In case you need quality webspace to host and run your web applications, try our personal web hosting services.

1241Chapter 46 .Security and Netscape Signed Scripts The Java Sandbox Much of the security model for JavaScript is similar to that originally defined for Java applets. Applets had a potentially dangerous facility of executing Java code on the client machine. That is a far cry from the original deployment of the World Wide Web as a read-only publishing medium on the Internet. Here were mini-programs downloaded into a client computer that, if unchecked, could have the same access to the system as a local software program. Access of this type would clearly be unacceptable. Imagine the dismay caused by someone clicking a link that said Free Money, only to have the linked page download an applet that read or damaged local disk files unbeknownst to the user. In anticipation of pranksters, the designers of Java and the Java virtual machine built in a number of safeguards to prevent applets from gaining access to local machines. This mechanism is collectively referred to as the sandbox, a restricted area in which applets can operate. Applets cannot extend their reach outside of the sandbox to access local file systems and many sensitive system preferences. Any applet runs only while its containing page is still loaded in the browser. When the page goes away, so does the applet, without being saved to the local disk cache. JavaScript adopted similar restrictions. The language provided no read or write access to local files beyond the highly regulated cookie file. Moreover, because JavaScript works more closely with the browser and its documents than applets typically do, the language had to build in extra restrictions to prevent browser-spe cific privacy invasions. For example, it was not possible for a script in one window to monitor the user s activity in another window, including the URL of the other window, if the page didn t come from the same server as the first window. Sometimes the restrictions on the JavaScript side are even more severe than in Java. For example, while a Java applet is permitted to access the network anytime after the applet is loaded, an applet is prevented from reaching out to the Net if the trigger for that transaction comes from JavaScript via LiveConnect (see Chapter 44). Only partial workarounds are available. Neither the Java nor JavaScript security blankets were fully bug-free at the out set. Some holes were uncovered by the languages creators and others in the com munity. To their credit, Sun and Netscape (and Microsoft for that matter) are quick to plug any holes that are discovered. While the plugs don t necessarily fix existing copies of insecure browsers out there, it means that a Bad Guy can t count on every browser to offer the same security hole for exploitation. That generally makes the effort not worth the bother. Security Policies Netscape describes security mechanisms under the collective term policies. This usage of the word mirrors that of institutions and governments: A policy defines the way potentially insecure or invasive requests are handled by the browser or script ing language. NN4+ includes two different security policies: same origin and signed scriptpolicies. The same origin policy dates back to Navigator 2, although some additional rules have been added to that policy as Navigator has matured. The signed script policy started with NN4 and utilizes the state of the art in crypto graphic signatures of executable code inside a browser, whether that code is a
If you are searching for cheap webhost for your web application, please visit MySQL5 Web Hosting services.

1240 Part V . Putting JavaScript to Work those features to beneficial use in controlled environments, such as intranets. But out in the Wild Wide Web, a scripter could capture a visitor s e-mail address by having the site s home page surreptitiously send a message to the site s author without the visitor even knowing it. Word of security breaches of this magnitude not only circulated throughout the Internet, but also reached both the trade and mainstream press. As if the security issues weren t bad enough on their own, the public relations nightmare com pounded the sense of urgency to fix the problem. To that end, Netscape released two revised editions of Navigator 2. The final release of that generation of browser, Navigator 2.02, took care of the scriptable security issues by turning off some of the scripted capabilities that had been put into the original 2.0 version. No more cap turing visitors browser histories; no more local file directory listings; no more silent e-mail. Users could even turn off JavaScript support entirely if they so desired. The bottom line on security is that scripts are prevented from performing auto mated processes that invade the private property of a Web author s page or a client s browser. Thus, any action that may be suspect, such as sending an e-mail message, requires an explicit action on the part of the user clicking a Submit but ton, in this case to carry it out. Security restrictions must also prevent a Web site from tracking your activity beyond the boundaries of that Web site. When Worlds Collide If a script tries to do something that is not allowed or is a potential personal security breach, the browser reports the situation to the user. Figure 46-1, for instance, shows an IE/Windows warning a user gets from clicking a Submit button located in a form whose ACTION is set to a mailto: URL. Another security error message often confuses scripters who don t understand the possible privacy invasions that can accrue from one window or frame having access to the URL information in another window or frame. In IE5/Windows, for example, an ominous error message Permission denied warns users of an attempt to access URL information from another frame if that URL is from a differ ent Web site. Despite the fact that a scripted Web site may have even loaded the foreign URL into the other frame, the security restrictions guard against unscrupulous usage of the ability to snoop in other windows and frames. Figure 46-1: IE/Windows e-mail warning
We would like to recommend you tested and proved virtual web hosting services, which you will surely find to be of great quality.

Security and Netscape Signed Scripts The paranoia levels about potential threats to security and privacy on the Internet are at an all-time high. As more people rely on e-mail and Web site content for their daily lives and transactions, the fears will only increase for the foreseeable future (an indeterminate number of Web Weeks). As a jokester might say, though, I may be paranoid, but how do I know someone really isn t out to get me? The answer to that question is that you don t know, and such a person may be out there. But Web software developers are doing their darnedest to put up roadblocks to those persons out to get you hence, the many levels of security that pervade browsers. Unfortunately, these roadblocks also get in the way of scripters who have completely honest intentions. Designing a Web site around these barriers is one of the greatest challenges that many scripters face. Battening Down the Hatches When Navigator 2 first shipped to the world (way back in February 1996), it was the first browser released to include support for Java applets and scripting two entirely different but often confused technologies. It didn t take long for clever programmers in the Internet community to find the ways in which one or the other technology provided inadvertent access to client computer information (such as reading file directories) and Web surfer activities (such as histories of where you ve been on the Net and even the passwords you may have entered to access secure sites). JavaScript, in particular, was the avenue that many of these programmers used to steal such information from Web site visitors browsers. The sad part is that the same features that provide the access to the information were intentionally made a part of the initial language to aid scripters who would put 46 CHAPTER …. In This Chapter Exploring browser security policies Applying JavaScript to Navigator security mechanisms Using Netscape signed scripts ….
In case you need affordable webhost to host your website, our recommendation is ecommerce web host services.

1237Chapter 45 .Debugging Scripts A large part of good programming is anticipating what a user can do at any point and then being sure that your code covers that eventuality. With multiframe windows, for example, you need to see how unexpected reloading of a document affects the relationships between all the frames especially if they depend on each other. Users will be able to click Reload at any time or suspend document loading in the middle of a download from the server. How do these activities affect your scripting? Do they cause script errors based on your current script organization? The minute you enable a user to type an entry into a form, you also invite the user to enter the wrong kind of information into that form. If your script expects only a numeric value from a field, and the user (accidentally or intentionally) types a letter, is your script ready to handle that bad data? Or no data? Or a negative floating-point number? Just because you, as author of the page, know the proper sequence to follow and the right kind of data to enter into forms, your users will not necessarily follow your instructions. In days gone by, such mistakes were relegated to user error. Today, with an increasingly consumer-oriented Web audience, any such faults rest solely on the programmer you. If I sound as though I m trying to scare you, I have succeeded. I was serious in the early chapters of this book when I said that writing JavaScript is programming. Users of your pages are expecting the same polish and smooth operation (no script errors and certainly no crashes) from your site as from the most professional software publisher on the planet. Don t let them or yourself down. Test your pages extensively on as many browsers and as many operating systems as you can and with as wide an audience as possible before putting the pages on the server for all to see. …
Note: If you are looking for cheap and reliable webhost to host and run your mysql application check mysql web server services.

1236 Part V . Putting JavaScript to Work This method automatically pushes the closing brace of the function lower, which is what I want putting it securely at the end of the function where it belongs. It also ensures that I line up the closing brace of the if statement with that grouping. Additional statements in the ifconstruction push down the two closing braces. If you don t like typing or don t trust yourself to maintain this kind of discipline when you re in a hurry to test an idea, you should prepare a separate document that has templates for the common constructions: