[Javascript] Resizing images client-side
Paul Novitski
paul at juniperwebcraft.com
Sat Jul 14 12:03:54 CDT 2007
At 7/14/2007 06:54 AM, Troy III Ajnej wrote:
>what security model and why "wisely", -what's so wise about that?
>So what if the page is loaded from the remote server? Is is still re-
>siding on your browser chache. It is being executed from your brw
>chache, and if you load a picture file you will be loading it from your
>chache to the browser chache. So what is your point?
It's a fundamental principal of JavaScript that a page downloaded
from the net can't read or write files on the local machine outside
of cache and more generally can't cross from one domain to
another. If it could, as Hassan has illustated, many people by now
would be reaching through that obvious security breach to read
private information from our computers, write executables, and delete
and corrupt our files.
There's a vast difference between files resident on our computers
that we put there and files encapsulated in browser cache. By
limiting JavaScript's scope to files downloaded from the same domain
as the web page that brings us the script, we have effectively
insulated ourselves against malicious scripts.
>It has nothing to do with securety.
...
>Your files can not harm your machine.
Whoa. If by "machine" you mean the software environment of our
computers, of course there are files resident on our computers that
can harm other files. And harm to local files is only part of the
threat. If I can read local files into a web page I can communicate
them (the fact of their existence or their content) to the
server. Even if your original benevolent intent is to display
images, what's to prevent someone else's script from addressing other
files types?
>Are you sugesting that one can not include images from differrent do-
>mains, nor local addreses in the same page?
Absolutely. Read
http://www.mozilla.org/projects/security/components/same-origin.html
Please google 'javascript security' and have a good read.
Regards,
Paul
__________________________
Paul Novitski
Juniper Webcraft Ltd.
http://juniperwebcraft.com
More information about the Javascript
mailing list