JavaBoutique : Articles :

Applet Persists Indefinitely; Breaks into JavaScript

Persistence

If you visit the experimental part of my home site, then my applet will launch a shopping cart frame which you cannot remove by any means until I permit it, or until you turn off your browser, or in some cases, if you use an early version of Explorer 4, until you turn off your machine. If you use a recent Netscape browser, then I can program the JavaScript on every page that you visit after leaving my site. If you use Explorer 4 and especially 5, then it is likely that I can jump to my home site, from any place where you are browsing, without your permission, and interact further, as I wish, with my applet. Within my home site, I can communicate between one HTML page and another without the use of cookies or Active Server Pages. I can program JavaScript freely, from a persistent applet that is launched on one particular page within my site, on almost any browser, and on any HTML page as you move within my site.

What about security? An applet is identified, by the JAVA virtual machine, by name and code base. In the same way that a digital signature allows the writer of an Active X program to be uniquely identified, so the codebase tag that is carried with an applet will always point to its author – in this case, me. My ability to break out of the home page, to persist indefinitely, to remember things, and then to break into JavaScript on other pages is therefore not, in my opinion, a major problem. It simply changes the way in which we look at applet security, to bring it closer to authenticode-signed Active X.

Jump to http://209.87.142.42/experimentalShopcart/Page1.htm. Buy something, travel to a random site, and press the ‘Home’ or ‘Checkout…’ button. (The worst that can happen is that with some older browsers – Explorer 4.01 and Windows 95, for instance – you may crash your browser. The applet has been ported to JDK 1.1, and therefore it also will no longer work with earlier JKD 1.0.2 Netscape browsers, such as Versions 4.0x; Versions 4.5 through 4.7, and so on, are fine.) When you press the ‘Home’ or ‘Checkout…’ buttons, a new window comes up on most browsers, and on Netscape, the status line at the bottom of the browser is altered to say, “JavaScript successfully accessed by Lane Friesen.”

Next ->

Lane Friesen

lanelise@dowco.com

How to Add Java Applets to Your Site

New on the Java Boutique:

New Review:

Time Management Made Easy with the Quartz Enterprise Job Scheduler
Why not just use the Java timer API? This open source scheduling API boasts simplicity, ease-of-integration, a well-rounded feature set, and it's free!

New Applet:

Reverse Complement
Reverse Complement is a simple applet that converts DNA or RNA sequences into three useful formats.

Elsewhere on internet.com:

WebDeveloper Java
Lots of Java information on webdeveloper.com

WDVL Java
Thorough Java resource at the Web Developer's Virtual Library.

ScriptSearch Java
Hundreds of free Java code files to download.

jGuru: Your View of the Java Universe
Customizable portal with online training, FAQs, regular news updates, and tutorials.