Applet Persists Indefinitely; Breaks into JavaScript
Conclusion
In Explorer, the merchant's
home site is placed into the new window – this works until the applet gets confused about frame addressing
(hey, it’s experimental) - and you can purchase additional items. All of this is done by breaking into the
JavaScript interpreter for the current page, from within a persistent applet. Notice that the JAVA frame
which was launched within the commercial site persists into any site, and that the buttons continue to
work – JAVA can do all the things that JAVA can do, on any page, and no one is able to stop it without
my permission. This results from the formation of a pseudo-constructor.
Within the commercial site, the applet can carry information from page to page, without the use of cookies.
This results from exploiting a new kind of HTML memory. A program which is launched on one
particular page can break into JavaScript on every page within the launching site. This appears to work
on all recent browsers, and not just on Netscape.
How does one break into JavaScript? Get the JSObject for the current window, with MAYSCRIPT
permission, and then remember it – this window object can then access JavaScript, on Netscape, even when
the HTML page has been changed, and when the new page no longer has MAYSCRIPT permission (as
long as the <APPLET></APPLET> tags in the original HTML page are surrounded by <FORM> and
</FORM> brackets). It is easier to access JavaScript ‘on site’ because the applet’s init() is called whenever
the applet is reloaded, and you can use that to refresh the window object so that it remains current –
Explorer as well as Netscape can then access JavaScript successfully. For some reason, it is possible on
both browsers to jump to a new page, from anywhere, using JavaScript, when that page is in a new
window.
I’m sure there are lots of other fun things that one can do – I would think that the designers of JAVA never
expected a JAVA class to break away from the launching page and to develop a life of its own.
Post your feedback in the JavaBoutique Forum
You can find the original exploratory article here.
Lane Friesen
lanelise@dowco.com
New on the Java Boutique:
New Review:
Time Management Made Easy with the Quartz Enterprise Job Scheduler
Why not just use the Java timer API? This open source scheduling
API boasts simplicity, ease-of-integration, a well-rounded feature
set, and it's free!
New Applet:
Reverse Complement
Reverse Complement is a simple applet that converts DNA or RNA
sequences into three useful formats.
Elsewhere on internet.com:
WebDeveloper Java
Lots of Java information on webdeveloper.com
WDVL Java
Thorough Java resource at the Web Developer's Virtual Library.
ScriptSearch Java
Hundreds of free Java code files to download.
jGuru: Your View of the Java Universe
Customizable portal with online training, FAQs, regular news updates, and tutorials.
