Hi,
I was reading through my friendly `Webmaster in a Nutshell' O'Reilly book, and
I came across a reference to the creation of Java objects from JavaScript
i.e.:
<SCRIPT LANG=JavaScript>
var s=java.lang.System;
s.out.println("this is a test");
// or even
var r=new java.lang.String("this is a string");
</SCRIPT>
This intreaged me, so my mind turned (as it does) to matters of security. One
think you can't do with these dynamically created Java objects is make any
outbound network connections, or successfully receive and incoming connections.
One concerning thing you can do is:
javascript:while(true) { (new java.awt.Frame("DoS!")).show(); }
This will very quickly open lots of windows you can't close.
I don't see these as serious issues, but something that we should be aware of.
Ian
-- Ian McKellar imckellar@harvestroad.com.au Web Author Phone: +61 8 9389 6200 Harvest Road Communications Fax: +61 8 9389 6201 Finger ian@harvestroad.com.au for my Public PGP KeyCopyright (c) 1997 Ian McKellar, All Rights Reserved. Publication or distribution without the prior consent of the copyright holder is prohibited.
--I+Z3u+9OQ7kwn0Nt Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE----- Version: 2.6.2
iQCVAwUBNB91+Oc73mdZIn3VAQHP/wP/f902JGK2uqTGKy1NhlQ/mkIT+UBZS8eF hKde4CE4302SJWx+9DGqN6Of6XUb6defNXp7MyorHAHcqWAooWtRPWOC8aRUxNKR Ejn6iw2r+bMKF/Z4zSQPCfmbxbcXWHtyIvEjDMnQ9yi3KG4udMwi9gMjneY3chKI 9fZhqNSB2TA= =2zdf -----END PGP SIGNATURE-----
--I+Z3u+9OQ7kwn0Nt--