↑
Main Page
Signed scripts
You may remember this line of code from Chapter 17, “Web Services.” This privilege was necessary in
order to complete the Web Service calls. The
UniversalBrowserRead
privilege also allows you to
access the URLs in the browser ’s history, such as the following:
netscape.security.PrivilegeManager.enablePrivilege(“UniversalBrowserRead”);
for (var i=0; i < history.length; i++){
alert(history[i]);
}
This script outputs the URL of each page in the browser’s history, as stored in the
history
object.
As soon as you have completed the use of privileged actions, it’s best to disable the privilege to ensure
that no malicious scripts can use the privilege:
netscape.security.PrivilegeManager.enablePrivilege(“UniversalBrowserRead”);
for (var i=0; i < history.length; i++){
alert(history[i]);
}
netscape.security.PrivilegeManager.disablePrivilege(“UniversalBrowserRead”);
The
UniversalBrowserWrite
privilege is perhaps the most interesting because it enables you to avoid
the window restrictions mentioned earlier in this chapter. When this privilege is enabled, you can:
?
Resize windows to be less than 100 x 100 or greater than the user ’s desktop size.
?
Move windows off screen.
?
Create windows without a window title.
?
Close a window using
close()
regardless of how the window was opened.
If a privilege is requested and not accepted, then the JavaScript Console displays a message saying,
“User did not grant privilege”
.
Signed scripts
In order to use the extended privileges, your script must be signed. JavaScript files can be signed in the
same manner as applets, and doing so allows access to these privileges. Signing a script involves obtain-
ing a digital certificate from a security firm that authenticates the script’s location, publisher, and usage.
When a signed script is loaded, the browser displays a message asking if the signed script should be
allowed to access the extended privileges it may use.
The Mozilla Foundation provides SignTool to aid in the signing of scripts. This small utility packages a
script into a JAR file along with its digital certificate. In order to use signed scripts, the containing HTML
page must be accessed using a URL with the following format:
jar:http://www.yourdomain.com/signedscripts.jar!/page.htm
When the script is properly signed and accessed with an appropriate URL, the user just accepts the digi-
tal certificate; he is not required to allow each privilege as it is enabled.
567
Deployment Issues
22_579088 ch19.qxd 3/28/05 11:43 AM Page 567
Free JavaScript Editor
Ajax Editor
©
→