Date: Mon, 12 May 1997 20:53:27 +0200
From: Benjamin de la Porte des Vaux <delaport@euklid.informatik.uni-dortmund.de>
To: java-security@web2.javasoft.com
Subject: Java-dependant problem
Thanks for Your answer.
I know that Java (from SUN)
and Javascript (from Netcape)
aren't related even if their
names are very close.
I've effectively tested "my"
Security Hole with Netscape.
But I've contacted You because
it seems to be a Java-dependant
problem...
As a matter of fact:
Java enables to call URLs.
And URLs (at least with Netscape)
could be something like:
"javascript:<javascriptFunctions>".
Which means that Java is then
able to invoke Javascript,
which, in itself, constitute a
security hole.
cf this (non-hostile, only
friendly demonstrative) Web Page:
(especially "Infected applets")
http://euklid.informatik.uni-dortmund.de/~delaport/rep/security.html
Even if this problem only occurs
with Netscape, I think it would be
a good Idea (I mean: for security
reasons) to make the interpreter
check the invoked URLs and allow
only those with a safe protocol.
Even if I've had some clues that
Java don't really like the
Javascript-URLs, I've seen that
they are not stopped:
that is the problem.
Feedback is still wellcome.
Yours Sincerely,
Benjamin.