Re: Java vs JavaScript
On 4/23/2014 11:39 AM, Roedy Green wrote:
I have always thought the Java sandbox was so restrictive, there was
nothing a user need worry about. There is no way an unsigned applet
could do any damage.
That is true assuming there are no bugs in the Java applet security
implementation.
I think they have found 200-300 bugs during the last 2-3 years.
But Oracle and the browsers are acting like unsigned Applets are
highly dangerous, making you do override after override to run them.
If a bug in Java allows an unsigned applet to gain privs, then it is
extremely dangerous as a malicious site could run a 1 pixel applet
that infected the PC without the user not even knowing that Java was
running.
Apparently Oracle does no longer believe that they can fix all
security bugs.
Given the recent history, then that seems realistic.
On the other hand I don't think JavaScript has any sort of sandbox at
all, and everyone blissfully runs scripts that can do anything.
Not true.
JavaScript is sandboxed and has about the same access as an unsigned
applet.
And because there are no concept of signed JavaScript with granted
privs then it is probably easier to avoid bugs as the code must be
a lot simpler.
Why the double standard? Is JavaScript safer than I thought?
There has been found plenty of JavaScript bugs over the years.
But JavaScript has done better than Java in recent years.
Arne