Fall 2021

js security

Many operations are not allowed from JavaScript in a client browser. For example,

same-origin , part 1

JavaScript in one window can't look or modify anything in another window that's visiting a different server.

 +- window 1 ----------------------------+
 |         |
 |   <script src=/scripts/stuff.js>      |
 |   <script src=> |
    This window's server is
    The JavaScript in both stuff.js and magic.js
    can only interact with documents from
    In particular, neither of these scripts can look
    at cookies or alter forms from's 'window 2' below.

 +- window 2 ----------------------+
 |     |  
 |                                 |

If, say, magic.js could interact with window 2's document, then it could for example change the amzon window's <form post=URL> to any URL it wanted - then when you went to buy some books, you could be sending your credit card information somewhere else entirely.

same-origin , part 2

Scripts that make HTTP requests for more data (i.e. AJAX) can only access the server that the document is from.

 +- window 1 ----------------------------------------+
 |                     |
 |   <script src=/scripts/ajax.js>                   |
 |     ... can talk to  |
 |   <script src=>             |
 |     ... can *not* talk to   |
    This document is from
    Any additional HTTP requests from JavaScript running
    in this window can only be directed to

Even though the ajax2.js file is from, it cannot use AJAX techniques to make an HTTP request back to, because the document is from - a different origin.

Since HTTP requests not only get information but can also send information, this keeps scripts from spying on you by sending information to sites other than the one that you're explicitly visiting.

This restriction can be circumvented by explicitly changing document.domain, for example if a page at wanted to have its JavaScript fetch data from

JavaScript security vs HTML security

Be clear that the restrictions above apply to what the JavaScript program can do, not what tags in the HTML can do.

Image tags, for example, can make an HTTP request from anywhere. This is commonly used for purposes other than just images, such as counters or tracking; such things are often called 'webbugs'.

Likewise, you can put any URL you want in a 'script' tag, which will load and run the JavaScript from that URL ... which may in turn create other 'script' tags in the document which may load other scripts. Those scripts can do whatever they want to your web page - with your implicit permission; you referenced 'em - so make sure that you trust them.

Cross-site scripting attacks

To be secure, you must make sure that anything entered by the user isn't 'leaking out' somewhere unexpected. You do this by checking to see that they input what you want, and only what you want.

For example, if you ask them for their name in a form, and then use javascript to stick it into a webpage, so

user: Jim

turns into

<p>Hi Jim</p>

they might instead type

user: Eve<script src=''></script>

which if just stuck into your page would load their JavaScript ... which could do anything it wanted to your page.

For another example, see When Trinity Hacked the IRS D-Base at the Hacker Challenges page at /courses /fall2021 /internet /notes /js_security
last modified Wed September 1 2021 2:56 pm