473,320 Members | 1,828 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

JavaScript Native Extensions

Hi,

I'd like to announce release 1.0.7 of JNEXT (JavaScript Native
Extensions). JNEXT is an open source framework for securely accessing
the full range of native OS resources (files, databases, sockets etc.)
by using JavaScript from within a Web Page. It is light weight, cross
platform, cross browser and designed with simplicity in mind.

More information is available at http://jnext.org

If there are any Mac developers that wish to help port the framework to
OS/X please contact me. Also any developers that wish to extend the
framework with additional plugins are welcome to send an email for more
information.

Thanks,
Amnon
Nov 6 '07 #1
3 2075
Amnon wrote:
I'd like to announce release 1.0.7 of JNEXT (JavaScript Native
Extensions). JNEXT is an open source framework for securely accessing
the full range of native OS resources (files, databases, sockets etc.)
by using JavaScript from within a Web Page. It is light weight, cross
platform, cross browser and designed with simplicity in mind.

More information is available at http://jnext.org
JavaScript's design is centered around a global object that is the shared
container for all of the scripts on a page. JavaScript gives every script the
same rights and privileges, regardless of where they came from or how they got
on the page. This is what enables XSS attacks. If an attacker can get script
onto your page, their script can do anything your script can do, including
talking to your server. There is no way your server can tell your script and
their script apart.

The problem is worsened by the web's use of several languages (HTTP, HTML, CSS,
JavaScript, URL, SQL, etc) that can all be embedded in each other, that all have
different quoting, commenting, and escapement conventions. This makes it
surprisingly easy for an attacker to hide scripts in content that appears to be
safe.

In that context, you want to give scripts access to the native resources. This
is extremely risky.

Ultimately, we need to replace JavaScript with a secure language, a language
that resists XSS attacks. The proposed ES4 that is being debated right now is
not that language. It retains the global object, and adds a lot of complicated
stuff. It is a move in the wrong direction.

The capabilities provided thru JNEXT are certainly useful. But until we fix the
browser, it isn't safe to make them available to web pages.

http://javascript.crockford.com/
Nov 6 '07 #2
On Nov 6, 5:35 am, Douglas Crockford <nos...@sbcglobal.netwrote:
>
Ultimately, we need to replace JavaScript with a secure language, a language
that resists XSS attacks. The proposed ES4 that is being debated right now is
not that language. It retains the global object, and adds a lot of complicated
stuff. It is a move in the wrong direction.
In the last few talks of your's that I have watched you have repeated
this point about security and mashups with a good case built up why
change is needed. I've also seen several sources where you make
negative comments directly or implied about ES4. You were part of the
ES3.1 proposal but it doesn't fix the problems either.

I think the negativity deserves some balance. Now that folks have
heard your message and how the situation and committee proposals
(HTML, CSS, ES) it is currently all wrong, how about you and a gang of
Yahoo! programmers write a new browser with a new model for the web
that is backwards compatible (ie can render current pages) and will
take us the next 10 years?

Peter

Nov 6 '07 #3
>
The problem is worsened by the web's use of several languages (HTTP,
HTML, CSS, JavaScript, URL, SQL, etc) that can all be embedded in each
other, that all have different quoting, commenting, and escapement
conventions. This makes it surprisingly easy for an attacker to hide
scripts in content that appears to be safe.

In that context, you want to give scripts access to the native
resources. This is extremely risky.
You make a valid point about security issues with the current state of
affairs. My angle on this is that the problems cannot be addressed by
starting from scratch, not because it's not right to do it, but simply
because it is not feasible.

JNEXT attempts to address the security issues by means of a white list,
stored in a file on the client side. The only way for a malicious script
to do harm is to be located on a site which has been explicitly added by
the user as a trusted site. While there will always be workarounds by
hackers, I think this is a reasonable solution but of course I'll
welcome any suggestions for improvements.

With JNEXT, it
>
The capabilities provided thru JNEXT are certainly useful. But until we
fix the browser, it isn't safe to make them available to web pages.
If you learn anything from history, then you understand it is naive to
assume it is possible to make a fool proof (or hacker proof) system. The
best you can do is raise the bar on the amount of creativity and
intelligence that is required to break the system and, as I stated
earlier, I believe this is going to be a evolutionary process and not a
revolutionary one.

-Amnon
Nov 6 '07 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
by: Rubem Pechansky | last post by:
Hi all, I have designed and successfully prototyped a native Windows binding for PHP. This binding is already capable of doing dialogs, controls, and a lot more with very few lines of code. PHP...
0
by: Frank | last post by:
Hey all, I can't seem to get javascript running in my XSL document. <?xml version="1.0"?> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"...
54
by: tshad | last post by:
I have a function: function SalaryDisplay(me) { var salaryMinLabel = document.getElementById("SalaryMin"); salaryMinLabel.value = 200; alert("after setting salaryMinLabel = " +...
3
by: -DG- | last post by:
I'm still trying to figure out some of the nuances of access to legacy Win32 DLLs. I need to alloc buffers to be used by the Win32 DLLs. I know that pinning a managed pointer can lead to...
2
by: Bart Simpson | last post by:
I am writing a communications library which makes extensive use of the STL and templates in general. I am using VC7 to compile because of alledged better support for templates etc. However, I...
5
by: turnitup | last post by:
Dear all, I have a JavaScript function that talks to php using ajax. It can return values from php. Up until now, I have used it to return simple values such as integers or text strings. ...
4
by: Java Guy | last post by:
I can find a lot of stuff on the internet about javascript, except how to I determine which version my IE6 is compatible with, or where to download javascript plugin/engine/what-ever for Windows...
1
by: Björn Langhof | last post by:
Hello. I'd like to overwrite a native function. It's the reload()-function of the document.location-object. My idea: document.location.reload = function(){alert('foo')}; So if the function...
12
by: pantagruel | last post by:
Hi, I'm thinking of making a WScript based JavaScript library, I can think of some specific non-browser specific scripting examples that should probably make it in, like Crockford's little...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.