Home Tutorials Forums Articles Blogs Movies Library Employment Press
By Haik Sahakian
The creators of the web allowed web pages to include content like images from any other server on the internet. But to protect web pages from being read by other web sites, they prevented web pages from talking to each other with JavaScript unless they were both from the same server.

As a result, pages can include images, CSS files, and JavaScript files from any server they wish. Framesets and IFRAMEs can also load web pages from anywhere. But JavaScript cannot communicate between two different servers.

This is a challenge for JavaScript programmers who would like to load data from another server. The most common solution takes advantage of the fact that JavaScript files are treated as regular network objects when being loaded (they can come from any server), but are bound by the stricter single origin policy when executing their script. Data can be passed to a different server as URL parameters on the SRC attribute of a SCRIPT tag, and is returned from that server when the JavaScript contents of the returned script file are executed.

Using this method to pass XML data from server to server is a little hard to work with because the XML has to be wrapped in JavaScript to be legal in a SCRIPT tag. It became easier for a server to output data in JavaScript itself rather than use XML. This JavaScript-based data format is called JSON, and is commonly used when sending data to a web page via a SCRIPT tag.

Sensitive data should not be transmitted in this way. Data being passed via a SCRIPT tag can indeed be read by a different web server, but it can now also be read by any web server.

In fact, if a regular HTML page mistakenly starts with JavaScript code instead of an HTML tag as it should, it becomes readable by a SCRIPT tag on a different server. Browsers will not allow non-script to be read in this way, but if your HTML page starts with JavaScript code, whether in a SCRIPT tag of its own or not, browsers will mistake the web page for an external script file and allow access. Validating HTML files protects against this.

Upcoming versions of HTML will allow web pages to establish trusted relationships with other web servers, but at present the most common way to share data between servers is to use a proxy server. A client-side Flash proxy can also be used, as Flash's crossdomain.xml allows data to be securely shared between different web servers.

Spread The Word

1 Response to "Two Minute Guide to the JavaScript Security Model"

said this on 13 May 2010 9:26:17 AM CDT
i want to good skill in flash

Leave a reply:
Your Name *: Email (private) *: Website:
Please copy the characters from the image below into the text field below. Doing this helps us prevent automated submissions.
Security Code: img

Copyright 2000-2013 ActionScript.org. All Rights Reserved.
Your use of this site is subject to our Privacy Policy and Terms of Use.