Hi Sarah,
Thanks for your answer.
I already know that I can enable/disable Java/JavaScript. But I do not want to disable them. I'd rather like to have control whether JavaScript is permitted to call Java methods or not.
As you know, Java runs in a virtual environment and has its own security model which creates a relatively protected environment.
Everything that runs in that protected environment should stay in there just for Java. If another application can access that environment, then it's no longer protected and therefore not secure.
JavaScript does not run in a secure environment, therefore JavaScript cannot do things Java can. For example reading and writing files is not possible in JavaScript. If it could write files we lose all and any security. Because any page you open in the internet would then be able to access your computer's file system.
In Firefox it is possible to execute some Java code initiated by JavaScript. That means JavaScript punches a hole into Java's protected environment and now can do things JavaScript should not be able to do. That is a security violation.
In IE that's impossible.
You can test that yourself. The following simple JavaScript code calls Java which then gets the computer's host name and IP address:
Code:
javascript:var addr=java.net.InetAddress.getLocalHost();alert(addr.getHostName()+"\n"+addr.getCanonicalHostName()+"\n"+addr.getHostAddress())
Just enter the code in the address bar (all on one line) and hit return. It may take a few seconds until Java's Virtual Machine has been started.
Gecko then displays the message box, IE does not -- Gecko is insecure, IE is secure.
I'd like to have control over that behaviour.
Administrator Login
Search
