JavaScript has a long and inglorious history of atrocious security holes. Its security problems are not limited to implementation errors. There are numerous ways in which scripts can affect the user’s execution environment without violating any security policies. This chapter examines the security policies browsers enforce on JavaScript embedded in Web pages. (From JavaScript: The Complete Reference, second edition, by Thomas Powell and Fritz Schneider McGraw-Hill/Osborne, ISBN: 0072253576.)
JavaScript Security - Security Zones in Internet Explorer (Page 5 of 9 )
Internet Explorer 4 and later support similarly configurable security policies for different Web sites, but permit less control than Mozilla. Sites are categorized into one of five groups (known as zones to IE):
Local Intranet Pages fetched from local servers, generally inside your company’s firewall.
Trusted Sites Sites you’re willing to grant extended capabilities to.
Internet The default zone for all pages fetched from the Web.
Restricted Sites Sites you specifically indicate as untrustworthy.
Local Machine Pages loaded from your hard disk. This zone is implicit, meaning you can’t configure it manually. Content loaded from disk always runs with extended privileges.
You can manage which sites appear in which zones by selecting Tools | Internet Options in Internet Explorer, and selecting the Security tab. Click the Sites button shown in Figure 22-2 to add or remove sites from each zone.
Each zone has an associated security policy governing what sites falling into the zone can do. Internet Explorer has default security settings for each zone but also allows users to customize the settings. The default settings are called templates, and are known (from least secure to most paranoid) as Low, Medium-Low, Medium, and High. You can see in Figure 22-3 that the default setting for the Trusted Sites zone in Internet Explorer 6 is Low.
FIGURE 22-2 Categorizing sites into security zones with Internet Explorer
FIGURE 22-3 Most security zones have a default security template .
Clicking the Custom Level button (shown in Figure 22-3) for each security zone enables you to configure specific capabilities that sites in that zone have. Figure 22-4 shows a sample of these options. Although a complete discussion of each option is outside the scope of this book, an awareness of those that apply to scriptable ActiveX controls can be useful. For a more complete introduction to IE’s security zones, see http://msdn.microsoft.com/library/default.asp?url=/workshop/security/szone/overview/overview.asp.
FIGURE 22-4 Customizing security zone properties
This chapter is from JavaScript: The Complete Reference, second edition, by Thomas Powell and Fritz Schneider, McGraw-Hill/Osborne, ISBN: 0072253576). Check it out at your favorite bookstore today.
JavaScript 
/ 69 
HTML5 Boilerplate: Working with jQuery and Modernizr
