Date: Mon, 3 Mar 1997 22:38:35 -0800
Message-Id: <199703040638.WAA06958@puffin.eng.sun.com>
From: Marianne Mueller <mrm@eng.sun.com>
To: pflesher@imsidc.com
Subject: Re: Java and JavaScript security questions
> I have a customer who has disabled Java, JavaScript, and ActiveX through
> their Firewall system. However, they have a need to allow the use of
> JavaScripts within the organization and to also allow users to access
> external JavaScripts on the WWW. There questions concerning this are as
> follows:
People need to weigh the cost/benefit of using flexibility over
the net, to exposing resources. JavaScript (aka LiveScript) is not
Java; it's not written in Java; it is interpreted by another
interpreter that is embedded in Netscape Navigator; it does not have a
sandbox like Java does.
>
> 1) Can JavaScripts call Java Applets? If this is the case and they open
> JavaScript capability through the firewall but continue to block Java
> will this effectively stop the Java Applet from executing since it is
> called by the JavaScript application?
In Netscape Navigator, I belive JavaScript can call Java, and vice
versa. However I have not programmed this way myself; you should
consult either Netscape or a book about JavaScript for info about
JavaScript. Despite the name, it's not related to Java.
If people have JavaScript enabled and Java disabled, then any applet
invoked by JavaScript would (presumably) not be able to run. However,
the only way to know for sure is to get a committment from Netscape on
this, or to try it out for yourself.
Personally, this seems backward to me; Java applets are contained to
the sandbox, whereas JavaScript is not, so if you're going to disable
one and not the other, I think Java would be the one to leave
enabled.
>
> 2) Java Applets loaded from Netscape 2.0 and above cannot read or write
> files? Is this true?
Yes, this is true, they cannot read or write files on the local disk.
Check out
for details on what the Java sandbox allows applets to do, or not to
do. See also
>
> 3) Are there still any inherently secure problems with allow JavaScripts
> to run through a firewall system?
I have no idea - please ask Netscape.
In addition to the URLS noted above, you can find Q&A about Java
security at
http://jeeves.javasoft.com/hypermail/java-security-archive/index.html
Marianne
JavaSoft engineering, security