Update: I am talking about Javascript in a web browser here! This link seems to have been picked up somewhere else not in the weddevelopment shpere so is causing a bit of confusion!
Javascript is a fairly misunderstood tool - until recently no one really paid it much attention other than when it was used to create pop-up windows or mask link’s true destinations - but its a fairly powerful tool and more and more people are using it to create some pretty cool things.
But there is a lot of confusion out there! Some people are getting confused between the capabilities of Javascript and something like PHP or ASP, so here is a look at some of the misconceptions I see coming up time and time again:
- Javascript cannot access the local file system. You cant read or write files on the user’s computer - its a security feature to prevent sites doing anything they like on your computer (like leave a virus…)
- Javascript cannot access the remote file system either! It used to be the accepted knowledge that you couldn’t even access files hosted on the server…things have changed slightly with the wide-spread support for XMLHttpRequest, but you’ve still only got HTTP to play with - you cant move files around, rename them, change permissions or anything like that on the server using only Javascript.
- Javascript cannot run any application outside the browser. Just like with point 1, this is a security feature to prevent a website doing as it pleases.
- Javascript cannot access your printer/scanner/webcam. Javascript has no direct access to your peripherals without relying on 3rd party tools etc.
- Javascript cannot change the URL displayed by the browser. Again this is for security reasons, otherwise any old site could simply change the displayed URL to look like your Bank’s or PayPal’s etc secure site to trick you into entering your details.
- Javascript cannot change the browser history. For example, you cannot control which page appears if the user clicked on the “back” button in their browser.
- Javascript cannot access your database. If you’ve got a MySQL or SQL Server database on your server, you cannot use Javascript to access it directly - you’ll need to use a server-side language (e.g. PHP, ASP etc) for that.
- Javascript cannot “encrypt” your HTML or prevent “image theft”. It is pathetically easy to circumvent so-called Javascript “security” features, so its not even worth trying. If a user can see your page, they can steal it!
- Javascript cannot control the user’s mouse or keyboard. Sorry but Javascript wont let you “hijack” a user’s mouse and move it to click on your site’s adverts to make you money!
- Javascript cannot use multiple threads. There are some moves afoot to try and create some sort of library to accomplish this, but for now the advice is don’t worry about optimising your Javascript for multiple core CPUs!
You can probably get around a lot of these with some 3rd party tools or plug-ins, but this is just a generic look at the basic concepts! Feel free to correct me in the comments though if you think I am wrong!
March 18th, 2007 at 12:53 pm
Um … aren’t those what ActiveX does? And gets nailed for, security-wise, quite often?
I think so.
March 18th, 2007 at 12:57 pm
Well yes that is the case, and applies to Java Applets too (and possibly even Flash “movies”?), but ActiveX is a totally different kettle of fish compared to Javascript.
March 18th, 2007 at 1:49 pm
JavaScript is only a programming language. It doesn’t have to run in a web browser.
It is Turing-complete, which means it’s possible to accomplish anything in it that you can with any other language, in terms of end goals. One could theoretically write ActiveX controls in JavaScript.
March 18th, 2007 at 2:48 pm
I was only writing this in the context of a web development scenario as that is the target audience for this blog.
Anyway, I am sure someone will correct me on this if I am wrong, but as far as I know, Turing completeness only relates to the computational equivalence of programming languages, and has nothing to do with the realm beyond just the actual computation it self.
So yes, you can calculate anything you can do in any other language that is Turing complete, but beyond the computation there are significant differences in practical abilities, for example an infinite paper tape and a pencil is a universal machine but you are going to have to find some intermediate way to access a conventional digital network or a database; the same goes for Javascript. Sure we could easily write the logic to deal with it, its just there is a practical limitation that means we cant do it directly.
March 18th, 2007 at 5:33 pm
The same is true for any programming language. I didn’t get the web browser context because the link was posted on dzone, out of context. It might be worth saying “in a web browser” somewhere another time.
March 18th, 2007 at 7:27 pm
To Mar:
Signed applets can do anything from the above mentioned list. However unsinged applets have similar limitations except the multithreading.
March 18th, 2007 at 9:21 pm
Yup, these claims definitely need qualification. I’ve written ASP and Windows scripts (WSH) in Javascript, and can do most of these in those scripting hosts (a browser is just another scripting host).
Regarding #6: even in a browser, window.location.replace() does remove the current page from the browser history.
Regarding #7: it IS possible to encode code so it’s still possible, not “pathetically easy” to read. But a lot of security boils down to that: making it too difficult for hackers to want to keep trying.
Regarding #9: Have you noticed the click() method yet?
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/click.asp
March 19th, 2007 at 12:17 am
JavaScript can do all of those things, if you embed it in an environment that provides an interface for them. A more accurate title for this entry would be “10 things you cannot do with JavaScript in the browser”.
March 19th, 2007 at 12:40 am
Matt:
Why would you need points #5 and #6?
I have no idea if PHP/ASP/Whatever support that, but why would you ever think of changing a users history or displayed URL? For that logic, Javascript cannot grow chickens in your PC, but does it really matters?
Maybe I’m not open-minded enough and there’s a legitimate use for this functionality?
March 19th, 2007 at 3:23 am
Do you use Firefox? if so, look in the jars in /chrome. Most of the application and “controller” logic of Firefox is written in javascript with access to system resources. This is true of all Mozilla apps and extensions. When run in the browser sandbox, your statements are true. There’s nothing inherent in the language that imposes those limits. JavaScript running on the JVM (rhino) has access to all java APIs. One of the coolest javascript hacks is Narcissus, a javscript interpreter written in javascript by Mr javascript himself Brendan Eich.
http://en.wikipedia.org/wiki/Narcissus_(JavaScript_engine)
http://lxr.mozilla.org/mozilla/source/js/narcissus/
March 19th, 2007 at 11:07 am
Federico: It would seem that people want to alter the history to be able to remove login pages and the like.
For example imagine a blog site. You view a post, you click edit, you get prompted to login, then you get the edit page. If you click “back” on the edit page, people want to be able to send their user’s directly back to the original page. There are ways around it depending on how you design your authentication systems but there is confusion from many about what javascript is capable of. Similar reasoning is used for being able to change the displayed URL…and for tricking people too of course!
And for everyone else - I am aware that javascript is capable of doing this, but the article was referring to the use of javascript on a web page and so running in a browser as this blog is aimed at a web development audience. I’ve updated the post to reflect this!
March 20th, 2007 at 11:26 am
“Javascript cannot access the local file system.”
So what is a cookie then if not a file stored locally?
“Javascript cannot change the browser history.”
So why do we have a history object? Yes you have to grant access to the requesting script but it can still read/alter the history object (might be netscaope only)
“Javascript cannot control the user’s mouse or keyboard.”
document.getElementById(’myLinkId’).click();
In IE browsers will make the user click on the link.
So thats more like 7 things Javascript can’t do. Then if we take away those things which can be done using XHR and a server side language we’re down to 4 things.
Add in the fact that using externalInterface+flash and we can access a webcam/mic/etc and we are down to 3 things
May 5th, 2007 at 5:06 am
Hello
You are The Best!!!
Bye