Signed javascript?

Hi,

I just wonder if anybody can help me with this:
I need to give my javascript code some extended permissions for disk access on client's machine,
and as i understand i need to sign this js. Can someone tell me how to sign js to work with with ie?
Can i put my js file into jar and use jarsigner for that?
And by the way, would it give me disk access permissions?

I need that for the following: our client gets a cd from us with some mp3 files. When they log onto
our web site, they see some links:
eg <a href="file:///e:/resource/file.mp3"><a/>

pointing to the files in their cd, so when they click on a link, that file should start playing.

Or is there another way to access client's disk from a web page for a task like described?

I would highly appreciate any ideas/suggestions!

Thank you in advance!
Andrey

On Wed, 06 Oct 2004 14:48:06 GMT, Andrey wrote:
[color=blue]
> Can i put my js file into jar and use jarsigner for that?[/color]

You can put Java classes into a jar and use Sun's jar signing
tool to give it extended privileges, but that will not work
with *Javascript*.
<http://www.physci.org/codes/javafaq.jsp#js>

Figure out exactly what you are dealing with before you proceed.

--
Andrew Thompson
http://www.PhySci.org/codes/ Web & IT Help
http://www.PhySci.org/ Open-source software suite
http://www.1point1C.org/ Science & Technology
http://www.lensescapes.com/ Images that escape the mundane

Andrew Thompson wrote:

<snip>[color=blue]
> You can put Java classes into a jar and use Sun's jar signing
> tool to give it extended privileges, but that will not work
> with *Javascript*.
> <http://www.physci.org/codes/javafaq.jsp#js>
>
> Figure out exactly what you are dealing with before you proceed.[/color]

That post seemed perfectly on-topic to me. The OP was obviously asking
whether JavaScript can be put into a jar file and signed, just like Java
can.

At least, I imagine that by "js file" it was meant "file with a .js
extension"....

Stewart.

Andrew Thompson wrote:[color=blue]
> On Wed, 06 Oct 2004 14:48:06 GMT, Andrey wrote:
>
>[color=green]
>>Can i put my js file into jar and use jarsigner for that?[/color]
>
>
> You can put Java classes into a jar and use Sun's jar signing
> tool to give it extended privileges, but that will not work
> with *Javascript*.
> <http://www.physci.org/codes/javafaq.jsp#js>
>
> Figure out exactly what you are dealing with before you proceed.[/color]

Andrew, my question is about JavaScript, not Java.
Maybe it confused you when i asked about signing jar file, but i've seen something on the internet
about calling javascript from a signed jar - yes, just client-side javascript code, not a Java
applet or anything else.

Ok, here's my problem - say i have a bunch of links on my web page and i need to show/hide them
depending on what files present on client's machine - so i want to do it using JavaScript/DHTML.

But to access client's resources(eg CD-ROM), i need to get special permissions, right?
So my question is if JavaScript code can be signed to get access to client's resources?

I've seen in a js book that UniversalBrowserRead (or something like that) permissions are required,
so my question is how do i do that?

Thank you in advance,
Andrey

Stewart Gordon wrote:
[color=blue]
> Andrew Thompson wrote:
>
> <snip>
>[color=green]
>> You can put Java classes into a jar and use Sun's jar signing tool to
>> give it extended privileges, but that will not work with *Javascript*.
>> <http://www.physci.org/codes/javafaq.jsp#js>
>>
>> Figure out exactly what you are dealing with before you proceed.[/color]
>
>
> That post seemed perfectly on-topic to me. The OP was obviously asking
> whether JavaScript can be put into a jar file and signed, just like Java
> can.[/color]

You are right :) But more generally i've asked if there is a way to enable javascript access to a
local resource (hard-drive or cd-rom)

Do you know anything about this?
[color=blue]
>
> At least, I imagine that by "js file" it was meant "file with a .js
> extension"....[/color]
That's perfectly true :)

Thank you
Andrey

"Andrey" <leyandrew@yahoo.com> wrote in message
news:WpU8d.341509$Fg5.329447@attbi_s53...[color=blue]
> Andrew Thompson wrote:[color=green]
> > On Wed, 06 Oct 2004 14:48:06 GMT, Andrey wrote:
> >
> >[color=darkred]
> >>Can i put my js file into jar and use jarsigner for that?[/color]
> >
> >
> > You can put Java classes into a jar and use Sun's jar signing
> > tool to give it extended privileges, but that will not work
> > with *Javascript*.
> > <http://www.physci.org/codes/javafaq.jsp#js>
> >
> > Figure out exactly what you are dealing with before you proceed.[/color]
>
>
> Andrew, my question is about JavaScript, not Java.
> Maybe it confused you when i asked about signing jar file, but i've seen[/color]
something on the internet[color=blue]
> about calling javascript from a signed jar - yes, just client-side[/color]
javascript code, not a Java[color=blue]
> applet or anything else.
>
> Ok, here's my problem - say i have a bunch of links on my web page and i[/color]
need to show/hide them[color=blue]
> depending on what files present on client's machine - so i want to do it[/color]
using JavaScript/DHTML.[color=blue]
>
> But to access client's resources(eg CD-ROM), i need to get special[/color]
permissions, right?[color=blue]
> So my question is if JavaScript code can be signed to get access to[/color]
client's resources?[color=blue]
>
> I've seen in a js book that UniversalBrowserRead (or something like that)[/color]
permissions are required,[color=blue]
> so my question is how do i do that?
>
>
> Thank you in advance,
> Andrey
>[/color]

Perhaps a modification of the following?

<html>
<head>
<title>if_file.htm</title>
</head>
<body>
<script type="text/javascript">
var wNT = "C:\\WinNT\\system.ini";
var w98 = "C:\\Windows\\system.ini";
var oFSO = new ActiveXObject("Scripting.FileSystemObject");
if (oFSO.FileExists(wNT)) alert(wNT);
if (oFSO.FileExists(w98)) alert(w98);
</script>
</body>
</html>

McKirahan wrote:

<...>[color=blue]
>
> Perhaps a modification of the following?
>
> <html>
> <head>
> <title>if_file.htm</title>
> </head>
> <body>
> <script type="text/javascript">
> var wNT = "C:\\WinNT\\system.ini";
> var w98 = "C:\\Windows\\system.ini";
> var oFSO = new ActiveXObject("Scripting.FileSystemObject");
> if (oFSO.FileExists(wNT)) alert(wNT);
> if (oFSO.FileExists(w98)) alert(w98);
> </script>
> </body>
> </html>
>[/color]

Right, that's exactly what i want to do, but the problem that IE will not allow to run this script
on client machine because of security issues.
So i need to make this javascript 'trusted', and that's my question - how?

Thank you,
Andrey

Signed JavaScript technology (.js in .jar) has been implemented in 4th
Netscapes and died with them. Starting 5th version (AKA 6th) they dropped
it. IE never supported it. Also even then you would not get the disc access,
it was all for "little" privileges: chromeless windows, off-screen
positioning etc.

You may start with a simple BlahBlah.hta page
If user grants permission on request, you can create an FileObject and go
on.

Also put a complain form on the same page ("My X browser doesn't work, what
a hell?")
If you collect at least 40-50 nasty ones, you may consider to buy a code
signing cert and mess up with signed applets/ActiveX. Up to that point HTA
would be sufficient.
:-)
:-|

"Andrey" <leyandrew@yahoo.com> wrote in message
news:M9V8d.190998$MQ5.20101@attbi_s52...[color=blue]
> Right, that's exactly what i want to do, but the problem that IE will not[/color]
allow to run this script[color=blue]
> on client machine because of security issues.
> So i need to make this javascript 'trusted', and that's my question - how?
>
> Thank you,
> Andrey[/color]

As VK suggested, try an HTA (HTML Application):

<html>
<head>
<title>if_file.hta</title>
</head>
<body>
<script type="text/javascript">
var wNT = "C:\\WinNT\\system.ini";
var w98 = "C:\\Windows\\system.ini";
var oFSO = new ActiveXObject("Scripting.FileSystemObject");
if (oFSO.FileExists(wNT)) alert(wNT);
if (oFSO.FileExists(w98)) alert(w98);
</script>
</body>
</html>

McKirahan wrote:
[color=blue]
> "Andrey" <leyandrew@yahoo.com> wrote in message
> news:M9V8d.190998$MQ5.20101@attbi_s52...
>[color=green]
>>Right, that's exactly what i want to do, but the problem that IE will not[/color]
>
> allow to run this script
>[color=green]
>>on client machine because of security issues.
>>So i need to make this javascript 'trusted', and that's my question - how?
>>
>>Thank you,
>>Andrey[/color]
>
>
> As VK suggested, try an HTA (HTML Application):
>
> <html>
> <head>
> <title>if_file.hta</title>
> </head>
> <body>
> <script type="text/javascript">
> var wNT = "C:\\WinNT\\system.ini";
> var w98 = "C:\\Windows\\system.ini";
> var oFSO = new ActiveXObject("Scripting.FileSystemObject");
> if (oFSO.FileExists(wNT)) alert(wNT);
> if (oFSO.FileExists(w98)) alert(w98);
> </script>
> </body>
> </html>
>[/color]

Ok, it's closer. But if i launch this hta file, it pops a new blank window after the alert is ok'd.
But i need to integrate this into my existing web site, with no additional windows to popup.

VK wrote:
[color=blue]
> Signed JavaScript technology (.js in .jar) has been implemented in 4th
> Netscapes and died with them. Starting 5th version (AKA 6th) they dropped
> it. IE never supported it. Also even then you would not get the disc access,
> it was all for "little" privileges: chromeless windows, off-screen
> positioning etc.
>
> You may start with a simple BlahBlah.hta page
> If user grants permission on request, you can create an FileObject and go
> on.
>
> Also put a complain form on the same page ("My X browser doesn't work, what
> a hell?")
> If you collect at least 40-50 nasty ones, you may consider to buy a code
> signing cert and mess up with signed applets/ActiveX. Up to that point HTA
> would be sufficient.
> :-)
> :-|
>[/color]
Well, hta don't work for me - when i load a hta page, it gives an option to Open/Download, which is
not clear for a user in the first place - our users are ... just users, if you know what i mean :)))
Also it pops a new blank window after i choose Open.
But the problem is that i may not change the structure we have, i may only add some functionality to
the existing aspx/html pages.
And i'm ok if i need to buy a certificate (from VeriSign?) - anyway my boss will be buying it, so i
don't care :)
But i need to get to the right direction with that - say, how can ActiveX help me?
I tried using the code McKirahan provided, but on html page not a hta, and got an error that
automation server can't create an object () - is it a permissions issue?
Error appeared while executing
var oFSO = new ActiveXObject("Scripting.FileSystemObject");

Speaking about java applets - i use "tinyplayer" - free java applet for playing mp3's.
If i sign this applet and place in on the web page on the web server, it allows me to play files
from my local server (i put link like "http://localhost:81/file.mp3"), but if i give it a file:///
location it doesn't play - i guess also permissions...

So what about ActiveX? Where should it be placed?

Please please please any ideas!

Thank you in advance
Andrey

You can run Javascript code that accesses local resources like
ActiveXObject, etc., from within a web-page. You must put the code (js
files) in a signed CAB file.

I did this many years ago with Internet Explorer 4.x and 5.x. They
have have removed that priviledge in IE 6.0, but I'm not certain about
that.

-Kody

On 8 Oct 2004 14:18:29 -0700, Kody Brown wrote:
[color=blue]
> You can run Javascript code that accesses local resources like
> ActiveXObject, etc., from within a web-page. You must put the code (js
> files) in a signed CAB file.[/color]

I can finally make sense of the OP's statement.

CAB files are for the MSVM exclusively.
[color=blue]
> I did this many years ago with Internet Explorer 4.x and 5.x. They
> have have removed that priviledge in IE 6.0, but I'm not certain about
> that.[/color]

...given they have removed the MSVM[1], it is not a
question of removing the 'privilege'..

[1] The MSVM is also actively being removed from remaining IE
(4/5 & 6) implementations that have it. I distribute a Java
tool that removes it[2], though there are a variety of ways
to remove or disable the MSVM.

[2] <http://www.physci.org/jvmclean.jsp>

--
Andrew Thompson
http://www.PhySci.org/codes/ Web & IT Help
http://www.PhySci.org/ Open-source software suite
http://www.1point1C.org/ Science & Technology
http://www.lensescapes.com/ Images that escape the mundane