The Mozilla docs on JavaScript security give a hint of hope that signed scripts will work around the cross-domain script exclusions that all good browsers enforce. But an item at DevArticles.com throws water on the idea:

Signed scripts are primarily useful in an intranet environment; they’re not so useful on the Web in general. To see why this is, consider that even though you can authenticate the origin of a signed script on the Web, there’s still no reason to trust the creator. If you encounter a script signed by your company’s IT department, you can probably trust it without much risk. However, you’d have no reason to think that a party you don’t know—for example, a random company on the Web—is at all trustworthy. So they signed their JavaScript—that doesn’t mean it doesn’t try to do something malicious! And if it did, most users would have no way of knowing.

In short, most browsers will pop up a scary looking security window asking the user what he or she want to do, and the chances of the user hitting the button marked “no, I don’t dare allow cross-domain XMLHTTPRequest calls” are at least 50-50. And, even if they weren’t, who would tolerate that message appearing regularly?

tags: cross domain, cross domain script exclusion, cross domain scripting, internet security, intranet environment, javascript, javascript security, mozilla, security, security components, signed script, signed scripts, web scripting, web security, xdomain, xmlhttprequest

Posted September 20, 2005 by Casey Bisson
Categories: Libraries & Networked Information, Technology. Tags: cross domain, cross domain script exclusion, cross domain scripting, internet security, intranet environment, javascript, javascript security, mozilla, security, security components, signed script, signed scripts, web scripting, web security, xdomain, xmlhttprequest.

1 Comment(s)

Comments RSS TrackBack Identifier URI

Leave a comment

Name (required)

Mail (will not be published) (required)

Website

 

User contributed tags for this post:

Funny Javascripts (117) - signed javascript (60) - Firefox signed script (58) - firefox signed scripts (45) - firefox signed javascript (37) - signed javascript firefox (36) - funny java scripts (33) - www.allsex.com (32) - wpa workaround (31) - javascript signed (29) - signed javascripts (29) - WWW.WORLDSEX.C (26) - signed (23) - signed script firefox (22) - signed scripts firefox (19) - javascripts (19) - xmlhttprequest cross domain (17) - xmlhttprequest signed script (16) - cross domain xmlhttprequest (16) - cross domain scripting workaround (13) - free funny javascripts (13) - www worldsex c (12) - javascript cross domain workaround (11) - XMLHttpRequest signed (10) - Firefox 3 accessing signed javascript page (10) - cross domain script exclusion (9) - google maps cross domain (8) - 4sex com (8) - Firefox 3.0 signed Javascript (8) - cross domain workaround (8) - cross domain scripting with XMLHttpRequest (7) - www.worldsex (7) - firefox signing scripts (7) - mozilla signed script (7) - XMLHTTPRequest crossdomain (7) - signed javascript example (7) - Signed XMLHTTPRequest (7) - www 89 com c (7) - firefox Digitally sign script (6) - MOVIS (6) - firefox 3 signed javascript (6) - mozilla signed javascript (6) - Safari signed javascript (6) - 4sex (6) - cross domain scripting work around (6) - firefox javascript security signed script (6) - plan c (6) - javascript wpa (6) - WWW GOOGLEEARTH COM (6) - firefox sign javascript (6) - worldsex.c (6) - iphone signed javascript cross-domain (6) - Digitally sign scripts firefox (6) - firefox signed (6) - xmlhttprequest domain workaround (5) - xmlHTTPrequest cross domain workaround (5) - sign script javascript (5) - signed javascript xmlhttprequest (5) - javascript signed script (5) - Firefox trust domain scripts (5) - signed javascript demo (5) - signed script demo (5) - signed javascript mozilla (5) - firefox javascript signed (5) - sign script firefox (4) - Signed Scripts in firefox (4) - firefox crossdomain (4) - workaround cross domain scripting (4) - erth plan (4) - signed javascript in firefox (4) - firefox digitally signed scripts (4) - wpa workaround javascript (4) - cross movis (4) - cross domain javascript signed (4) - cross domain signed javascript (4) - cross domain javascript signed script (4) - google maps api cross domain (4) - javascript cross domain (4) - Google erth plan (4) - digitally sign javascript example (4) - googleheart (4) - signed javascript tutorial (4) - XMLHttpRequest firefox cross domain (4) - cross domain google maps (4) - allow cross domain scripting (4) - xmlhttprequest workaround (4) - mozilla cross domain script (4) - cross domain scripts (4) - funny movis (4) - signed javascript firefox 3 (4) - google 4sex (3) - mozilla cross domain post (3) - digitally sign javascript (3) - indian movis (3) - Firefox 2 XMLHTTPRequest (3) - signed scripting (3) - firefox how to sign scripts (3) - javascript Signed Scripts (3) - signing script mozilla firefox xmlhttprequest (3) - Digitally signed scripts firefox (3) - xmlhttprequest signed scripts (3) - how to signed javascript (3) - firefox allow cross domain scripting (3) - javascript cross domain workarounds (3) - FireFox script signed (3) - signing javascript firefox (3) - work around cross domain scripting (3) - sign scripts firefox (3) - firefox cross domain xmlhttprequest (3) - signing javascript crossdomain mozilla (3) - signed script (3) - signed javascript google maps (3) - firefox digitally sign javascript (3) - firefox cross domain scripting workaround (3) - java scripts (3) - firefox sign script (3) - firefox javascript signing XmlHttpRequest (3) - xmlhttp crossdomain (3) - cross domain workaround javascript (3) - google maps cross domain scripting (3) - Google Map cross domain scripting (3) - cross domain script firefox (3) - Safari signed script (2) - funny java scripting buttons (2) - signed javascript safari (2) - firefox xmlhttprequest remote domain (2) - safari cross domain scripting demo (2) - javascript xmlhttprequest cross domain (2) - firefox AND code to allow cross domain xmlhttprequest (2) - javascript signed means (2) - sign scripts in firefox (2) - firefox javascript (digital | digitally) (sign | signature) -extension (2) - sign script cross domain (2) - mozilla xmlhttprequest cross domain hacks (2) - www,world sex vedio.com (2) - signing java scripts (2) - signed-script-demo (2) - www.18sexcom (2) - www.allsex (2) - allow cross domain xmlHttpRequest mozilla (2) - javascript cross domain signed (2) - firefox allowing cross domain scripts (2) - javascript signing script (2) - digitally signed script (2) - signed-script demo (2) - Firefox Signed Script Tutorial (2) - how to sign java scripts (2) - cross domain scripting and google map api (2) - cross domain signed scripts (2) - 10828 (2) -