Javascript File i/o

Thursday May 25th, 2000

Pete Collins from Alphanumerica and Mozilla developers have created a Javascript interface for doing file i/o in Mozilla, which will allow new Mozilla components like Alphanumerica's Crash Recovery system to function properly.

Patterned after the PHP filesystem functions, simple functions such as file read/write and directory create are supported. The code has not yet made it into the nightly build, but they expect it will get in soon.

Note from AN: There seems to be a misconception about Javascript File I/O being a security risk. It is important to clarify that this project is not opening any security holes in Mozilla. There is a difference between Javascript on the Internet and Javascript inside the application. Javascript is used inside Mozilla to create the functionality for the application. This is in contrast to any Javascript downloaded from the Internet that is used for functionality only inside a Web page. This project does not grant any access to Javascript found on the Internet. For more information about how Javascript is used inside Mozilla read more about XPCOM and XPConnect.

#15 Moz security

by svn <>

Thursday May 25th, 2000 2:48 PM

You are replying to this message

I am not a security expert, but I do worry about browser security. As far as I know, Mozilla is as "secure" as NS4.x. Of course, there will always be new Javascript vulnerabilities discovered.

Mozilla does have a powerful new feature, XPConnect, which is not present in NS4.x. The file I/O package uses XPConnect. By default, scripts in web pages cannot access XPConnect. Only scripts living in the chrome directory on your local hard disk can access XPConnect. In other respects, I would presume the Mozilla security model is the same as, or very similar to, the NS4.x security model (same origin policy, codebase principal, signed scripts etc.)

Placing files in the chrome directory usually requires user intervention, such as clicking an Install button in a scary looking dialog. One would have to allow this because otherwise you would never be able to upgrade your browser, or install optional components.

Skins are strictly defined as CSS + image files (no Javascript). Skins may be installed without user intervention, I think. The zip files in the chrome zone, although called "skins", are technically "packages", which are allowed to contain Javascript. They do require user intervention to install.

Hope this clarifies things a bit!