Separate HTML for LOCAL Foil 75 TAINTING! Security in JavaScript

HELP! * GREY=local LOCAL HTML version of Foils prepared 15 January 1997

Foil 75 TAINTING! Security in JavaScript

From JavaScript Tutorial for CPS616 Technologies of the Information Age 1997 Basic Information Track of CPS -- Spring Semester 97. by Geoffrey C. Fox * See also color IMAGE

Addon

Tainting ensures that certain properties cannot be freely used

These "taintable" properties include cookie, links, title etc in document; most interesting properties of forms; history; location

Once you access such a property from a SERVER different from that which spawned JavaScript page, then your current statement and everything derived from it is "tainted"

Note testing to see if a variable is tainted, taints your program and so one cannot write useful JavaScript programs involving tainted quantities and networking

tainted variables may NOT be passed over the Network to other servers e.g. to a CGI Script

You can control the tainting of pages and untaint them so that remote servers can freely use

However I don't think anybody does this ......

Northeast Parallel Architectures Center, Syracuse University, npac@npac.syr.edu

If you have any comments about this server, send e-mail to webmaster@npac.syr.edu.

Page produced by wwwfoil on Sat May 24 1997