Amnon wrote:
I'd like to announce release 1.0.7 of JNEXT (JavaScript Native
Extensions). JNEXT is an open source framework for securely accessing
the full range of native OS resources (files, databases, sockets etc.)
by using JavaScript from within a Web Page. It is light weight, cross
platform, cross browser and designed with simplicity in mind.
More information is available at http://jnext.org
JavaScript's design is centered around a global object that is the shared
container for all of the scripts on a page. JavaScript gives every script the
same rights and privileges, regardless of where they came from or how they got
on the page. This is what enables XSS attacks. If an attacker can get script
onto your page, their script can do anything your script can do, including
talking to your server. There is no way your server can tell your script and
their script apart.
The problem is worsened by the web's use of several languages (HTTP, HTML, CSS,
JavaScript, URL, SQL, etc) that can all be embedded in each other, that all have
different quoting, commenting, and escapement conventions. This makes it
surprisingly easy for an attacker to hide scripts in content that appears to be
safe.
In that context, you want to give scripts access to the native resources. This
is extremely risky.
Ultimately, we need to replace JavaScript with a secure language, a language
that resists XSS attacks. The proposed ES4 that is being debated right now is
not that language. It retains the global object, and adds a lot of complicated
stuff. It is a move in the wrong direction.
The capabilities provided thru JNEXT are certainly useful. But until we fix the
browser, it isn't safe to make them available to web pages.
http://javascript.crockford.com/