Jump to content

Archived

This topic is now archived and is closed to further replies.

.josh

Javascript FAQ

Recommended Posts

Basically whenever I see a "Can javascript do this.." or "I'm trying to do this, and my syntax seems right, but it's not working.." questions, it almost always has to do with violation of some security/privacy policy. So that is the overall theme you're basically going to see here.

 

This is mostly a top-level "What you can and can't do with javascript" list. While I have provided some details for answering "why", or for pointing you in the right direction for a next-step on "how", this list isn't meant to be a comprehensive tutorial to fully explain the why's and hows of limitations and how to get around them, etc.. It's simply an entry point for figuring out a next step.

 

 

Here is a list of common questions about javascript that I've seen come up a lot over the years

 

Q: Can I execute php (or other server-side) code with javascript?

A: No. Not directly. But you can setup a server-side "controller" script to accept requests with info and do things based on that info. Read up on AJAX

 

Q: Can I use javascript to interact with my database?

A: No. Not directly. See above.

 

Q: I'm trying to use AJAX to request a script and it won't work

A: 9/10 times this is because you are attempting to request something on a domain other than what the script is running on. You cannot do this, as it is a violation of the Same Domain Origin Policy. Otherwise known as Cross-Site Scripting (XSS). It is possible for a server to be setup to allow for it, but by default servers are not setup for this and 99.99% of servers do NOT allow this. And even then, the browser my still reject it, depending on the security/privacy settings set in the browser. One trick to get around this is to output a regular javascript tag (you can even make one with js and append it to the DOM). There are limitations to this, but it may be enough, depending on what you are actually trying to accomplish. If it is on the same domain and it's not working, then post your issue.

 

Q: I'm trying to get or change the contents of an iframe and it's not working

A: 9/10 times this is because you are attempting to access iframe contents hosted on a domain other than what the script is running on. You cannot do this, as it is a violation of the Same Domain Origin Policy. Otherwise known as Cross-Site Scripting (XSS). Also the same restrictions apply for javascript running on an iframed page whose parent is not of the same domain.

 

Q: I'm trying to use javascript to read/write a cookie and it's not working

A: 9/10 times this is because you are attempting to access a cookie for a domain other than what the script is running on. You cannot do this, as it is a violation of the Same Domain Origin Policy. Otherwise known as Cross-Site Scripting (XSS). Cookies set on the same root domain, but with different subdomains also fall under this restriction. For example, if you set a cookie on "foo.yoursite.com" and then try to read it on "bar.yoursite.com" you will get an error. However, you CAN set your cookie to just be the root ".yoursite.com" domain and then both subdomains can access the cookie.

 

Q: Is javascript a form of java?

A: No. They happen to share the same name because someone thought it would be cute to confuse everybody.

 

Q: Can I use javascript to execute programs or read/write to files on someone's computer?

A: The shorter and technically accurate answer is yes - if you count cookies and local storage. Cookies and local storage are files on the user's computer, but they are heavily isolated. The longer answer to the question you're really asking is, no, not directly. Javascript can invoke certain other things such as an ActiveX or Java applet, and those scripts can do this sort of thing. However, default browser settings are set to either prompt the user to allow them to be run (along with a very strongly worded warning), or outright prevent it. So even if you get the user to run the ActiveX or Java applet, those are the things that can access it, not javascript itself.

 

Q: Can I use javascript to disable or change certain browser features like print, email, rightclicking, browser history, etc.?

A: Short answer is no. Javascript has very limited (and usually no) access to "browser level" stuff. Basically, if you are asking this question then you are almost certainly trying to do something you can't do.

Common examples:

- Printing/Emailing: You can invoke the browser's print function, which will in turn invoke whatever the user has setup to happen when they would normally print, but you cannot see or control what actually happens, what program is invoked, etc. same thing with emailing, etc..

- Browser History: You can use javascript to for example simulate a forward or backward click on the browser history but you can't actually read the urls in the history or alter them.

- Disabling Rightclick: Javascript does have limited ability to disable rightclicking, but it's not reliable across browsers, and if nothing else, the user can just disable javascript.

- Exiting the site: Javascript does have limited ability to prevent a user from navigating away from the page. For example, you can write javascript to stop links from working as intended, or you can write code to initiate a popup (the infamous "are you sure you want to leave?" popup), etc. but this doesn't work across all browsers, and newer browser versions will even ask the user if they want to prevent the javascript from doing it. And there is nothing you can do to prevent a user from simply closing their browser. Also, it's incredibly rude to try and trap a user on your site, and is a really good way to ensure they will never return and also tell everybody they know to avoid your site!

- Accessing browser bookmarks/favorites: javascript cannot read bookmarks (as in, the user's bookmarks) at all. Some browsers/versions do allow you to invoke the bookmark/favorite dialog (equivalent of ctrl+d shortcut), but this isn't the same as directly adding a bookmark, and some browsers do not even support this much.

- Disabling javascript: You cannot force the browser to run javascript. If a user disables it, it is disabled, end of story.

 

Q: Can I use javascript to validate my form values?

A: Yes! But do not rely on this! It is perfectly acceptable to do some pre-validation to cut down on wasted requests to your server but you should never rely solely on javascript for form validation. It is ridiculously easy to bypass it. But also, javascript can't directly validate stuff that you would need to lookup in a file or database (e.g. correct username/password).

 

Q: Can I use javascript to control the keyboard, mouse, webcam, etc.?

A: No. You can use javascript to detect when (most) keyboard keys or mouse buttons are pressed, or current x,y coords when a mouse is moved, but only when the page the javascript is running on has focus. You cannot simulate an actual key press or button click, though you can do things like auto-pop form fields with values or invoke the click event on a form button or link. IOW you can change the state of something on your page with javascript, but you can't use javascript to act as if a user had actually pressed a button or moved the mouse. For example, you can't make the mouse curser move to another position, or you can't invoke an alt+tab or ctrl+alt+delete sequence. As far as webcams, there is no javascript interface; you can't use javascript to activate a webcam, record, receive data from it, can't even detect if it's there, etc.

 

Q: Can I use javascript to prevent people copying my html/javascript/images?

A: No. You can obfuscate your code ("security through obscurity") but this is not the same as preventing theft.

 

Q: Can I use javascript to read request/response http headers?

A: No. Many addons (e.g. firebug, httpfox, web developer) can do this because their code is within a higher scope than javascript. An addon is essentially extending the actual browser (which is why they are also known as browser extensions).

 

Q: Can I use javascript to detect what plugins/add-ons/extensions the user's browser has?

A: The short answer is no, not reliably. Firstly, take some time to read up on what the difference between a plugin, add-on and extension is. Different browsers use these terms differently. But in general, the short answer is that there is no reliable way to get a list from any browser for any of those, though it's more or less reliable to detect one if you specifically look for it, in pretty much any browser except Internet Explorer.

Share this post


Link to post
Share on other sites

The second question in particular assumes you are talking about client side (executed in the browser) javascript.

 

Server side javascript is becoming more and more popular these days and is capable of making use of many different database systems.

Share this post


Link to post
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.