The Mozilla docs on JavaScript security give a hint of hope that signed scripts will work around the cross-domain script exclusions that all good browsers enforce. But an item at DevArticles.com throws water on the idea:

Signed scripts are primarily useful in an intranet environment; they’re not so useful on the Web in general. To see why this is, consider that even though you can authenticate the origin of a signed script on the Web, there’s still no reason to trust the creator. If you encounter a script signed by your company’s IT department, you can probably trust it without much risk. However, you’d have no reason to think that a party you don’t know—for example, a random company on the Web—is at all trustworthy. So they signed their JavaScript—that doesn’t mean it doesn’t try to do something malicious! And if it did, most users would have no way of knowing.

In short, most browsers will pop up a scary looking security window asking the user what he or she want to do, and the chances of the user hitting the button marked “no, I don’t dare allow cross-domain XMLHTTPRequest calls” are at least 50-50. And, even if they weren’t, who would tolerate that message appearing regularly?

tags: cross domain, cross domain script exclusion, cross domain scripting, internet security, intranet environment, javascript, javascript security, mozilla, security, security components, signed script, signed scripts, web scripting, web security, xdomain, xmlhttprequest

Posted September 20, 2005 by Casey Bisson
Categories: Libraries & Networked Information, Technology. Tags: cross domain, cross domain script exclusion, cross domain scripting, internet security, intranet environment, javascript, javascript security, mozilla, security, security components, signed script, signed scripts, web scripting, web security, xdomain, xmlhttprequest.

1 Comment(s)

Comments RSS TrackBack Identifier URI

Leave a comment

Name (required)

Mail (will not be published) (required)

Website

 

User contributed tags for this post:

Funny Javascripts (119) - Firefox signed script (62) - signed javascript (62) - firefox signed scripts (49) - signed javascript firefox (39) - firefox signed javascript (38) - funny java scripts (34) - signed javascripts (33) - javascript signed (31) - wpa workaround (31) - signed (28) - signed script firefox (22) - signed scripts firefox (20) - javascripts (19) - xmlhttprequest cross domain (17) - cross domain xmlhttprequest (16) - xmlhttprequest signed script (16) - cross domain scripting workaround (14) - free funny javascripts (13) - javascript cross domain workaround (12) - XMLHttpRequest signed (10) - Firefox 3 accessing signed javascript page (10) - cross domain script exclusion (9) - mozilla signed script (9) - cross domain workaround (8) - firefox Digitally sign script (8) - firefox signing scripts (8) - google maps cross domain (8) - Firefox 3.0 signed Javascript (8) - signed javascript example (7) - cross domain scripting with XMLHttpRequest (7) - signed scripting (7) - XMLHTTPRequest crossdomain (7) - Signed XMLHTTPRequest (7) - firefox 3 signed javascript (7) - www 89 com c (7) - MOVIS (6) - signed javascript demo (6) - firefox javascript security signed script (6) - cross domain scripting work around (6) - Digitally sign scripts firefox (6) - iphone signed javascript cross-domain (6) - Safari signed javascript (6) - mozilla signed javascript (6) - firefox signed (6) - javascript wpa (6) - WWW GOOGLEEARTH COM (6) - javascript signed script (6) - firefox sign javascript (6) - plan c (6) - firefox javascript signed (5) - signed javascript mozilla (5) - signed javascript xmlhttprequest (5) - Firefox trust domain scripts (5) - xmlHTTPrequest cross domain workaround (5) - signed javascript safari (5) - signed script demo (5) - xmlhttprequest domain workaround (5) - sign script javascript (5) - erth plan (4) - workaround cross domain scripting (4) - wpa workaround javascript (4) - signed javascript tutorial (4) - cross movis (4) - sign script firefox (4) - signed javascript firefox 3 (4) - signed script (4) - googleheart (4) - cross domain javascript signed (4) - Google erth plan (4) - signed javascript in firefox (4) - firefox digitally signed scripts (4) - cross domain scripts (4) - digitally sign javascript example (4) - javascript cross domain (4) - funny movis (4) - cross domain javascript signed script (4) - allow cross domain scripting (4) - cross domain signed javascript (4) - javascript Signed Scripts (4) - cross domain google maps (4) - mozilla cross domain script (4) - firefox digitally sign javascript (4) - XMLHttpRequest firefox cross domain (4) - google maps api cross domain (4) - xmlhttprequest workaround (4) - Signed Scripts in firefox (4) - firefox crossdomain (4) - digitally sign javascript (3) - how to signed javascript (3) - javascript cross domain workarounds (3) - signed scripts cross domain (3) - mozilla cross domain post (3) - javascript iframe cross-domain signed (3) - signing javascript firefox (3) - Digitally signed scripts firefox (3) - xmlhttprequest signed scripts (3) - sign scripts for firefox 3 (3) - work around cross domain scripting (3) - firefox how to sign scripts (3) - firefox sign script (3) - signing script mozilla firefox xmlhttprequest (3) - FireFox script signed (3) - firefox allow cross domain scripting (3) - Firefox 2 XMLHTTPRequest (3) - cross domain signed script (3) - java scripts (3) - cross domain workaround javascript (3) - signing javascript crossdomain mozilla (3) - Google Map cross domain scripting (3) - google maps cross domain scripting (3) - sign scripts firefox (3) - firefox cross domain scripting workaround (3) - firefox cross domain xmlhttprequest (3) - firefox javascript signing XmlHttpRequest (3) - indian movis (3) - cross domain script firefox (3) - xmlhttp crossdomain (3) - signed javascript google maps (3) - cross domain javascript in firefox (2) - safari cross domain scripting demo (2) - sign scripts in firefox (2) - Java funny scripts (2) - javascript signed means (2) - xmlhttprequest cross domain java (2) - wwwsxse com (2) - firefox allow XMLHttpRequest domain workaround (2) - javascript xmlhttprequest cross domain (2) - xmlhttprequest get javascript cross workaround (2) - signed-script-demo (2) - Safari signed script (2) - signed script mozilla (2) - javascript signed cross domain (2) - how to sign java scripts (2) - cross domain signed scripts (2) - firefox signed javascript greasemonkey (2) - firefox 3 signed scripts (2) - mozilla xmlhttprequest cross domain hacks (2) - cross domain mozilla google (2) - signed firefox script (2) - funny java scripting buttons (2) -