version 11 showing authors affecting page license.
.
| Rev |
Author |
# |
Line |
| 1 |
JonPurvis |
1 |
JavaScript is a ProgrammingLanguage with DynamicTyping originally designed by Brendan Eich in 1995 for scripting NetscapeNavigator 2.0. Called ~LiveScript in beta versions, but was renamed and slightly redesigned for marketing reasons in the final release after [Netscape] licensed [Java] from SunMicrosystems. This has caused no end of confusion as the two languages have nearly nothing in common besides the first four letters of their names. |
| |
|
2 |
|
| 5 |
AristotlePagaltzis |
3 |
The language has grown over the years. The standard implementation is called ECMAScript, named after the standardization institute [ECMA] that it was handed to. Contrary to popular belief, these versions are pretty compatible. The problem many webdesigners were faced with is that the Document Object Model used to offer access to the [HTML] document a script belongs to in a browser has varied wildly. |
| 1 |
JonPurvis |
4 |
|
| |
|
5 |
There are many pages on the web about JavaScript, but one of the best is the JavaScript section at [Peter-Paul Koch's site | http://www.xs4all.nl/~ppk/js/]. |
| |
|
6 |
|
| |
|
7 |
---- |
| |
|
8 |
|
| |
|
9 |
!! Signing JavaScript |
| |
|
10 |
|
| 5 |
AristotlePagaltzis |
11 |
JavaScript has a relatively strict security model to prevent its use by malicious web content authors. (In practice, of course, the [Interpreter]s in WebBrowser~s are plagued with holes.) Some of those restrictions can be lifted, with the user's permission, if JavaScript code is signed. |
| |
|
12 |
|
| |
|
13 |
To sign JavaScript code using [Mozilla], you use the <tt>signtool</tt>. First set your ''Master Password'' in Mozilla to something easy and insecure as you'll have to put it on the command line. A quick |
| |
|
14 |
|
| 9 |
AristotlePagaltzis |
15 |
<pre> |
| |
|
16 |
signtool -d ~~/.mozilla -l |
| |
|
17 |
</pre> |
| 5 |
AristotlePagaltzis |
18 |
|
| |
|
19 |
will show you have no signing certificates. Quit [Mozilla] to generate one: |
| |
|
20 |
|
| 9 |
AristotlePagaltzis |
21 |
<pre> |
| |
|
22 |
signtool -d ~~/.mozilla -p ''password'' -G ''certname'' |
| |
|
23 |
</pre> |
| 5 |
AristotlePagaltzis |
24 |
|
| |
|
25 |
Now recheck your certificate list and notice that you have a singing certificate: |
| |
|
26 |
|
| 9 |
AristotlePagaltzis |
27 |
<pre> |
| |
|
28 |
signtool -d ~~/.mozilla -l |
| |
|
29 |
</pre> |
| 5 |
AristotlePagaltzis |
30 |
|
| |
|
31 |
Make a new directory, put any script files or HTML files with JavaScript code in it (say, <tt>''foo''.html</tt>) and sign the directory contents with this command: |
| |
|
32 |
|
| 9 |
AristotlePagaltzis |
33 |
<pre> |
| |
|
34 |
signtool -d ~~/.mozilla -p ''password'' -k ''certname'' -Z ''foo''.jar ''script_directory'' |
| |
|
35 |
</pre> |
| 5 |
AristotlePagaltzis |
36 |
|
| |
|
37 |
Test that it was signed correctly with: |
| |
|
38 |
|
| 9 |
AristotlePagaltzis |
39 |
<pre> |
| |
|
40 |
signtool -d ~~/.mozilla -v ''foo''.jar |
| |
|
41 |
</pre> |
| 5 |
AristotlePagaltzis |
42 |
|
| |
|
43 |
Referring to it as <tt>jar:~http://bar.com/baz/foo.jar!/foo.html</tt> will now allow unsafe code to execute provided the user has accepted your certificate. |
| |
|
44 |
|
| |
|
45 |
For a really thorough treatise on the subject, see [Signed Scripts in Mozilla | http://www.mozilla.org/projects/security/components/signed-scripts.html]. |
| |
|
46 |
|
| |
|
47 |
---- |
| |
|
48 |
|
| |
|
49 |
Part of CategoryProgrammingLanguages, CategoryObjectOrientedProgrammingLanguages, CategoryVeryHighLevelProgrammingLanguages |
