[thelist] doing the js thing!

Andrew Clover and-evolt at doxdesk.com
Wed Jul 3 06:30:01 CDT 2002

Erick Papadakis <erick_papadakis at yahoo.com> wrote:

> in their "something.js" file, they have to collect information
> about a cookie on my machine. wow. how do they do this?

Any time you include a <script> from any other file, it is executed
in the 'security context' of the current page, and can do anything
at all that JavaScript could do if included on the page itself. If you
use cookies to store authentication they can be read (using
the document.cookie property) by any script, and user actions
can be faked through cross-frame scripting and automated form
submissions. Also if the user has given your site more
permissions the external script can use those permissions; for
example if the user has put your site in their 'Trusted Sites' zone
in IE/Win the script is likely to be able to install ActiveX components
without user consent, which is disastrous for security.

For these reasons you should be extremely wary about linking to
external scripts not controlled by yourself; you really must trust
their owners not to take advantage.

> when i try to download their *.js, i cannot get it!

Do you mean you are prevented from downloading the file?

There are many possible reasons for this; it's impossible to say
without an example URL. It could perhaps be a referrer check, in
which case you could connect to the server's HTTP port manually
and type the 'Referer: ...' header, or simply grab the script from
your browser's cache.

Referrer checking is generally pretty disreputable, too...

Andrew Clover
mailto:and at doxdesk.com

More information about the thelist mailing list