Thursday, September 07, 2006

Javascript Limitations

JavaScript is most commonly used as a client-side language, and in this case the "client" refers to the end-user's web browser, in which JavaScript is interpreted and run. Since JavaScript does not have access to the server environment, there are many tasks that, while trivial when executed in PHP, simply cannot be achieved with JavaScript: reading and writing to a database, for example, or creating text files. But since JavaScript does have access to the client environment, it can make decisions based on data that server-side languages simply don't have, such as the position of the mouse, or the rendered size of an element.

Security Restrictions

As JavaScript operates within the realm of highly sensitive data and programs, its capabilities have been restricted to ensure that it can't be used maliciously. As such, there are many things that JavaScript simply is not allowed to do. For example, it cannot read most system settings from your computer, interact directly with your hardware, or cause programs to run.

Also, some specific interactions that would normally be allowed for a particular element are not permitted within JavaScript, because of that element's properties. For example, changing the value of a form <input>
is usually no problem, but if it's a file input field (e.g., <input type="file">), writing to it is not allowed at all -- a restriction that prevents malicious scripts from making users upload a file they didn't choose.

There are quite a few examples of similar security restrictions, which we'll expand on as they arise in the applications we'll cover in this book. But to summarize, here's a list of JavaScript's major limitations and security restrictions, including those we've already seen. JavaScript cannot:

  • open and read files directly (except under specific circumstances, as detailed in Chapter 18, Building Web Applications with JavaScript).
  • create or edit files on the user's computer (except cookies [11], which are discussed in Chapter 8, Working with Cookies).
  • read HTTP POST data.
  • read system settings, or any other data from the user's computer that is not made available through language or host objects (Host objects are things like window and screen, which are provided by the environment rather than the language itself.)
  • modify the value of a file input field.
  • alter a the display of a document that was loaded from a different domain.
  • close or modify the toolbars and other elements of a window that was not opened by script (i.e., the main browser window).

Ultimately, JavaScript might not be supported at all.

It's also worth bearing in mind that many browsers include options that allow greater precision than simply enabling or disabling JavaScript. For example, Opera [12] includes options to disallow scripts from closing windows, moving windows, writing to the status bar, receiving right-clicks ... the list goes on. There's little you can do to work around this, but mostly, you won't need to?such options have evolved to suppress "annoying" scripts (status bar scrollers, no-right-click scripts, etc.) so if you stay away from those kinds of scripts, the issue will come up only rarely.

Get more information

Tags: javascript, javascript limitations, security restrictions, cookies, HTTP POST, opera

Can't find what you're looking for? Try Google Search!
Google
 
Web eshwar123.blogspot.com

posted by eshwar at 6:18 pm

Comments on "Javascript Limitations"