Why Can't JavaScript Do This?

There are lots of questions posted on JavaScript forums where someone new to JavaScript is asking how to do something that is either extremely complicated or impossible to do with JavaScript. For some reason they never want to start with learning the easy parts and work their way from there. Often the things that they are asking about are rather trivial to do in many other languages and so not all of the queries are really from someone wanting to know how to fly before they have learnt to crawl.

There are two main reasons why JavaScript does not allow you to perform certain tasks easily when it runs in a web browser (these restrictions don't usually apply to JavaScript running on a web server or as a desktop application but most beginners are unaware of all the places where JavaScript can run and do not even realise that it can be attached to the browser itself rather than just to web pages).

The first of the two reasons why JavaScript cannot do some things that can be easily done in other languages is because of security. Were JavaScript running in a web page to have the same access to the local computer the browser is on as stand alone applications on that computer have then the entire computer would be compromised. You would only need to visit one web site that displays one ad with a virus built into it and before you know it your computer would have so many viruses competing for the CPU that it would take you a decade just to have it get as far as the login screen.

To reduce this risk as much as possible and to at least allow the other security measures on your computer to get some of the resources they need to run and defend against whatever does get through, JavaScript implements who main levels of blocking. It greatly limits what is accessible on the local computer and it also limits JavaScript's ability to communicate between domains so as to reduce the opportunity for such problems to spread to additional web pages.

In some really old browsers the restrictions were not as great as they are in more modern browsers because it wasn't realised just how big a security problem that these were. Once it was realised then patches were introduced to those browsers in order to block the holes that were being exploited. Of course this meant that things that may have worked before then became impossible to do.

Now there are legitimate reasons for doing some of these things but as the security holes needed to be plugged straight away the ability of JavaScript to perform these interactions was completely removed. Since there are legitimate reasons, JavaScript experts and security experts then started working together to see what they could do to implement something back into JavaScript that will allow these tasks to be performed where necessary but without reintroducing the security holes.

The cross domain issue was finally resolved with the introduction of postMessage() into JavaScript which requires specific commands in the scripts running on both servers to be able to send and receive messages. This process works on all modern browsers and it limits communications with other domains to the specific processing that the other domain specifically makes available for this communication. Only when both domains are set up to work together is inter-domain communication possible in JavaScript. This means that you can only use it where either you have access to both domains in order to set it up or where a site makes specific functionality available for other sites to use and the owners of those other sites configure their end to work with what is provided.

The solution to the local file issue is a new collection of objects that will provide the person using the computer with the ability to make files available for the JavaScript in a web page to read. The FileReader() object when used in code that is run in response to an event triggered by the browser owner where that owner makes a file available in connection with that event will allow JavaScript to read in the content of that file and process it. This gives the control over which files can be read to the person using the computer which overcomes the associated security issues. This concept was first introduced in 2011 with only a couple of browsers volunteering to provide it so advanced JavaScript testers and security experts to test it. It will not actually be practical to use until it becomes a part of standard JavaScript and all of the modern browsers provide for it.

The second of the two reasons why JavaScript cannot do some things is because doing those things would interfere with how the person who owns the browser has their browser configured to work. For example early browsers allowed JavaScript to turn off access to the contextmenu (usually accessible via the right mouse button or the contextmenu key at the bottom right of the main section of most keyboards). Now there are a number of ways that browsers provide for performing certain tasks and different people can choose whichever of those ways that they prefer to use. When it comes to navigating between web pages you can either use the menus at the top of the browser, keyboard shortcuts, or the contextmenu. Some people turn off the menus at the top of their browser to make more space available to view web pages, they haven't learnt the keyboard shortcuts and use the contextmenu to navigate between pages. Turning off the contextmenu removes their ability to use their browser at all and so browsers introduced an option to disallow JavaScript turning it off.

Another example is the creation of popup windows. Early browsers allowed web pages to create new browser windows whenever they liked and allowed the JavaScript to specify where on the page the new window should be, how big it should be and what toolbars if any it should display. This was badly abused and so modern browsers now greatly limit JavaScript from being able to create popup windows. Such code will now only work if the code is being run in response to an event triggered by the browser owner. The browser owner can configure their browser to determine whether the request to open a new browser window will actually open a new window or simply open a new tab in the existing window. If it opens a new tab then all of the supplied information about where on the screen, how big, and what toolbars to display will be ignored. Even if it actually does open a new window browsers now require certain toolbars to be present and have a minimum size they will allow for the window. Browsers also provide options for being able to disregard any of the other information passed by the script about the window giving the browser owner full control of where the window opens, how big it is, and what optional toolbars display (even they can't turn off the ones that have been made mandatory so as to resolve security issues).

Basically this second group of restrictions allow the owner of the browser to decide how they want their browser to work and to disallow scripts on individual web pages from overriding their choices.

JavaScript sits in a position where if it weren't restricted it would have the power to do almost anything. It sits in the web browser between millions of local computers and thousands of web servers. No other language runs in an environment where it could have access to so many computers all at the same time. Also scripts are attached to individual web pages whereas there are trillions of pages on the web that don't have that particular script attached and therefore just to provide web users with consistency the JavaScript on one page is not allowed to change the overall behaviour of the web browser (which these days is likely to be displaying several other web pages at the same time).

There are many things that can be easily done in other languages or even in JavaScript where the environment where they are running is significantly limited. The browser presents a far less limited environment and so the limits to control abuse need to be built into the language that runs there - JavaScript.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow