Joe Asks

^ Is Allowing JavaScript to Call Java Dangerous?

Whenever you allow a web page to access local resources or call functions outside the browser sandbox, you need to consider the security implications very carefully. For example, you wouldn't want to create a method to allow JavaScript to read data from any arbitrary path name because that might expose some private data to a malicious site that knew about your method and your filenames.

Here are a few things to keep in mind. First, don't rely on security by obscurity. Enforce limits on the pages that can use your methods and on the things those methods can do. And remember the golden rule of security: don't rule things out; rule them in. In other words, don't try to check for all the bad things that someone can ask you to do (for example, invalid characters in a query). You're bound to miss something. Instead, disallow everything, and pass only the good things you know are safe.

0 0

Post a comment