The Mozilla docs on JavaScript security give a hint of hope that signed scripts will work around the cross-domain script exclusions that all good browsers enforce. But an item at DevArticles.com throws water on the idea:

Signed scripts are primarily useful in an intranet environment; they’re not so useful on the Web in general. To see why this is, consider that even though you can authenticate the origin of a signed script on the Web, there’s still no reason to trust the creator. If you encounter a script signed by your company’s IT department, you can probably trust it without much risk. However, you’d have no reason to think that a party you don’t know—for example, a random company on the Web—is at all trustworthy. So they signed their JavaScript—that doesn’t mean it doesn’t try to do something malicious! And if it did, most users would have no way of knowing.

In short, most browsers will pop up a scary looking security window asking the user what he or she want to do, and the chances of the user hitting the button marked “no, I don’t dare allow cross-domain XMLHTTPRequest calls” are at least 50-50. And, even if they weren’t, who would tolerate that message appearing regularly?

tags: cross domain, cross domain script exclusion, cross domain scripting, internet security, intranet environment, javascript, javascript security, mozilla, security, security components, signed script, signed scripts, web scripting, web security, xdomain, xmlhttprequest

Somebody asked for some links to get started with PHP. Of course I lead them to the PHP.net official site, where the documentation is some of the best I’ve seen for any product.

I also suggested PHPDeveloper.org and PHPFreaks.com, though the truth is I usually Google any questions I have that the official docs don’t answer. Still, I’ve found some good info at both of those.

Finally, the PHP Cheat Sheet at ILoveJackDaniels.com is pretty nice to have around (cheat sheets mentioned previously).

tags: docs, documentation, php, web scripting