Arthur T. wrote:
Java is safe, at least theoretically, because it runs in its own
virtual machine. Javascript, by design, can do damn near anything to
your machine.
I'm not sure I agree here.
Java is safe only to the point where
- core classes are properly implemented to prevent unauthorized access
to native classes
- The Bytecode interpreter (JVM) is properly implemented (not allowing
bytecode it access stuff outside the sandbox - except for properly
authorized interaction with native classes)
- For example, from within an Applet in a Web Browser container,
instantiating File I/O class objects that would read/write to the
filesystem is prohibited unless the Applet containment file is signed
- A Java application instantiated by other JVM containers (for example
via 'java' or 'javaw') will usually not have those restrictions
- Security bugs happen when a core class doesn't invoke the proper
security manager - or when there is a problem with the security manager
- or when the native classes aren't properly defined.
Javascript is safe to the point where
- Interpreted code is not allowed to step out of the interpreter
- The hosting environment only allows access to protected classes and
methods by authorized code
- For example, javascript code invoked from with an HTML page in a web
browser won't be allowed to invoke most methods of the 'filesystem' class.
- A Javascript application instantiated from within other script hosts
may not have that restriction.
- Security bugs happen when an interface doesn't properly verify that
the invoker of a method is authorized to do so.
Restrictions for unauthorized code (in both cases) usually entail :
- No access to the machine local resources except for the windowing
system and stdin/stdout.
- No access to network resources other than the host from which the
application originated.
So basically, the 2 have the same issues : Making sure any interaction
with the machine is authorized. It's not a design flaw - it's dependent
on proper interpreter & interface implementations.
I don't see how javascript is less (or more) safe than java (aside from
bugs)..
but I could be wrong !
--Ivan
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
