The Mozilla docs on JavaScript security give a hint of hope that signed scripts will work around the cross-domain script exclusions that all good browsers enforce. But an item at DevArticles.com throws water on the idea:

Signed scripts are primarily useful in an intranet environment; they’re not so useful on the Web in general. To see why this is, consider that even though you can authenticate the origin of a signed script on the Web, there’s still no reason to trust the creator. If you encounter a script signed by your company’s IT department, you can probably trust it without much risk. However, you’d have no reason to think that a party you don’t know—for example, a random company on the Web—is at all trustworthy. So they signed their JavaScript—that doesn’t mean it doesn’t try to do something malicious! And if it did, most users would have no way of knowing.

In short, most browsers will pop up a scary looking security window asking the user what he or she want to do, and the chances of the user hitting the button marked “no, I don’t dare allow cross-domain XMLHTTPRequest calls” are at least 50-50. And, even if they weren’t, who would tolerate that message appearing regularly?

tags: cross domain, cross domain script exclusion, cross domain scripting, internet security, intranet environment, javascript, javascript security, mozilla, security, security components, signed script, signed scripts, web scripting, web security, xdomain, xmlhttprequest

Posted September 20, 2005 by Casey Bisson
Categories: Libraries & Networked Information, Technology. Tags: cross domain, cross domain script exclusion, cross domain scripting, internet security, intranet environment, javascript, javascript security, mozilla, security, security components, signed script, signed scripts, web scripting, web security, xdomain, xmlhttprequest.

1 Comment(s)

Comments RSS TrackBack Identifier URI

Leave a comment

Name (required)

Mail (will not be published) (required)

Website

 

User contributed tags for this post:

Funny Javascripts (117) - signed javascript (59) - Firefox signed script (58) - firefox signed scripts (45) - firefox signed javascript (37) - signed javascript firefox (36) - funny java scripts (32) - wpa workaround (31) - signed javascripts (29) - javascript signed (29) - www.allsex.com (28) - WWW.WORLDSEX.C (25) - signed (22) - signed script firefox (22) - signed scripts firefox (19) - javascripts (19) - xmlhttprequest cross domain (17) - xmlhttprequest signed script (16) - cross domain xmlhttprequest (16) - free funny javascripts (13) - cross domain scripting workaround (13) - www worldsex c (12) - javascript cross domain workaround (11) - XMLHttpRequest signed (10) - Firefox 3 accessing signed javascript page (10) - cross domain script exclusion (9) - Firefox 3.0 signed Javascript (8) - 4sex com (8) - cross domain workaround (8) - google maps cross domain (8) - www 89 com c (7) - cross domain scripting with XMLHttpRequest (7) - Signed XMLHTTPRequest (7) - www.worldsex (7) - mozilla signed script (7) - firefox signing scripts (7) - XMLHTTPRequest crossdomain (7) - signed javascript example (7) - 4sex (6) - mozilla signed javascript (6) - firefox 3 signed javascript (6) - worldsex.c (6) - javascript wpa (6) - iphone signed javascript cross-domain (6) - MOVIS (6) - firefox sign javascript (6) - firefox javascript security signed script (6) - WWW GOOGLEEARTH COM (6) - firefox Digitally sign script (6) - Digitally sign scripts firefox (6) - cross domain scripting work around (6) - firefox signed (6) - plan c (6) - xmlHTTPrequest cross domain workaround (5) - Safari signed javascript (5) - xmlhttprequest domain workaround (5) - signed script demo (5) - javascript signed script (5) - firefox javascript signed (5) - sign script javascript (5) - signed javascript xmlhttprequest (5) - Firefox trust domain scripts (5) - signed javascript demo (5) - signed javascript mozilla (5) - wpa workaround javascript (4) - signed javascript in firefox (4) - erth plan (4) - digitally sign javascript example (4) - cross movis (4) - cross domain javascript signed (4) - sign script firefox (4) - signed javascript firefox 3 (4) - firefox digitally signed scripts (4) - XMLHttpRequest firefox cross domain (4) - cross domain javascript signed script (4) - workaround cross domain scripting (4) - firefox crossdomain (4) - google maps api cross domain (4) - mozilla cross domain script (4) - Signed Scripts in firefox (4) - signed javascript tutorial (4) - cross domain scripts (4) - Google erth plan (4) - funny movis (4) - cross domain google maps (4) - allow cross domain scripting (4) - xmlhttprequest workaround (4) - googleheart (4) - javascript cross domain (4) - cross domain signed javascript (4) - indian movis (3) - firefox how to sign scripts (3) - google 4sex (3) - signed scripting (3) - firefox javascript signing XmlHttpRequest (3) - firefox cross domain xmlhttprequest (3) - work around cross domain scripting (3) - FireFox script signed (3) - signed javascript google maps (3) - xmlhttprequest signed scripts (3) - signing javascript firefox (3) - google maps cross domain scripting (3) - Digitally signed scripts firefox (3) - javascript cross domain workarounds (3) - how to signed javascript (3) - javascript Signed Scripts (3) - cross domain script firefox (3) - Google Map cross domain scripting (3) - xmlhttp crossdomain (3) - Firefox 2 XMLHTTPRequest (3) - firefox cross domain scripting workaround (3) - java scripts (3) - mozilla cross domain post (3) - signed script (3) - sign scripts firefox (3) - firefox digitally sign javascript (3) - cross domain workaround javascript (3) - firefox allow cross domain scripting (3) - digitally sign javascript (3) - signing script mozilla firefox xmlhttprequest (3) - firefox sign script (3) - signing javascript crossdomain mozilla (3) - cross domain scripting and google map api (2) - firefox xmlhttprequest remote domain (2) - javascript xmlhttprequest cross domain (2) - java signed scripts location (2) - digitally signed script (2) - xmlhttp signed (2) - mozilla xmlhttprequest cross domain hacks (2) - javascript signing script (2) - allow cross domain xmlHttpRequest mozilla (2) - signed-script-demo (2) - how to sign java scripts (2) - cross domain signed scripts (2) - cross domain mozilla google (2) - signed firefox script (2) - firefox allowing cross domain scripts (2) - funny java scripting buttons (2) - www.18sexcom (2) - XMLHttpRequest C (2) - javascript cross domain signed (2) - www.allsex (2) - xmlhttprequest get javascript cross workaround (2) - firefox AND code to allow cross domain xmlhttprequest (2) - Safari signed script (2) - cross domain post mozilla javascript (2) - cross domain security workaround (2) - javascript signed intranet (2) - XMLHttpRequest firefox 2 (2) - signed javascript safari (2) -