SlideShare ist ein Scribd-Unternehmen logo

Douglas - Real JavaScript

D
d0nn9n
Technologie
1 von 79
Downloaden Sie, um offline zu lesen
Really. JavaScript. Douglas Crockford Yahoo!
The World’s Most Popular Programming Language
The World’s Most Popular Programming Language The World’s Most Unpopular Programming Language
Java Scheme Self LiveScript
Java Scheme Self LiveScript JavaScript
Java Scheme Self LiveScript JavaScript ECMAScript
The web was a disappointment as an application delivery system. Page replacement too inefficient. Java applets failed. No one believed in JavaScript.
The Web Is Dead. The future is not document retrieval. The future is distributed programming.
“Another software technology will come along and kill off the Web... And that judgment day will arrive very soon -- in the next two to three years.” George F. Colony Chairman of the Board and CEO Forrester Research, Inc. [2000] http://web.archive.org/web/20001019084041/http://www.forrester.com/ER/Marketing/1,1503,21
Microsoft abandoned the web.
AJAX! JavaScript gets a second chance.
Reasons to Hate JavaScript • It has bad parts. • The DOM is awful. • It isn’t Java, C#, C++, Python, Ruby, … • It didn’t die.
There are reasons to like JavaScript It has good parts.
JavaScript is a functional language with dynamic objects and familiar syntax.
It scales from beginners to masters.
JavaScript is especially effective in an event-driven application model.
Programs in JavaScript can be significantly smaller than equivalent programs in other languages. But you must learn to think in JavaScript.
Beyond the browser • Applications. • Operating Systems. • Databases. • Mobile. • Consumer electronics. • Servers.
Can we make JavaScript a better language? The web is difficult to change.
The most effective way to make JavaScript a better language is to remove the bad parts. JSLint.com
Avoid forms that are difficult to distinguish from errors. JSLint.com
Correct the {block scope} problem. New let and const statements to replace var.
Better support for variadic functions The arguments array has lots of problems.
New syntax is useless if you must support older browsers. New syntax === syntax errors
IE6 is fading very slowly. Five years ago I predicted that IE6 would fade away in five years.
There are more obsolete copies of IE in use than Opera, Safari, and Chrome combined. IE6 is hanging on because we are allowing it to hang on.
IE6 MUST DIE!
Decimal? 0.1 + 0.2 !== 0.3
A better target for compilation? JavaScript has become the world’s virtual machine.
An intermediate representation?
Macros?
Threads?
Tail Calls? return func();
More like _______?
Exciting new features? Readability. Significant efficiency.
Security? XSS
What can an attacker do if he gets some script into your page?
An attacker can request additional scripts from any server in the world. Once it gets a foothold, it can obtain all of the scripts it needs.
An attacker can read the document. The attacker can see everything the user sees.
An attacker can make requests of your server. Your server cannot detect that the request did not originate with your application.
If your server accepts SQL queries, then the attacker gets access to your database. SQL was optimized for SQL Injection Attacks
An attacker has control over the display and can request information from the user. The user cannot detect that the request did not originate with your application.
An attacker can send information to servers anywhere in the world.
The browser does not prevent any of these. Web standards require these weaknesses.
The consequences of a successful attack are horrible. Harm to customers. Loss of trust. Legal liabilities.
Cross site scripting attacks were invented in 1995. We made no progress on the fundamental problems in 14 years.
Why is there XSS? • The web stack is too complicated. Too many languages, each with its own encoding, quoting, commenting, and escapement conventions. Each can be nested inside of the others. Browsers do heroic things to make sense of malformed content. • Template-based web frameworks are optimized for XSS injection.
Why is there XSS? • The JavaScript global object gives every scrap of script the same set of powerful capabilities. • As bad as it is at security, the browser is a vast improvement over everything else. • The browser does distinguish between the interests of the user and the interests of the site. • The browser failed to anticipate that there could be additional interests.
Fundamentally, XSS is a confusion of interests. It is dangerous and must be corrected now.
Solving the XSS problem should be our #1 priority. We cannot tolerate web standards that make things worse.
Mashups! A mashup is a self-inflicted XSS attack.
Advertising is a mashup. Advertising is a self-inflicted XSS attack.
Safe JavaScript Subsets Deny access to the global object and the DOM. Caja. http://code.google.com/p/google- caja/ ADsafe. http://www.ADsafe.org/
ECMAScript Fifth Edition Strict December 2009
ES5/Strict makes it possible to have static verification of third party code without over-constraining the programming model. The best of both Caja and ADsafe.
There is still more work to be done • ES5/Strict cannot protect the page from XSS script injection. • ES5/Strict can protect the page from the widgets, but it cannot protect the widgets from the page. • ES5/Strict is an important step toward a programming model in which multiple interests can cooperate for the user’s benefit without compromising each other or the user.
IE6 MUST DIE!
ES5/Strict does not solve the XSS problem. Fixing ECMAScript is a necessary step. But it is also necessary to fix the DOM.
The DOM is an awful API. It inflicts tremendous pain on developers. It enables XSS attacks.
HTML5 A big step in the wrong direction.
How HTML5 makes things worse 1. It is complicated. Complexity is the enemy of security. 2. It gives powerful new capabilities to the attacker, include access to the local database. 3. HTML5 will take a long time to complete. Does a solution to the XSS problem have to wait until HTML6?
Reset. • Throw the current HTML5 proposal out and start over. • The new charter makes the timely solution of the XSS problem the highest priority. • The old HTML5 set can be mined for good ideas as long as that does not undermine the prime directive.
The Next Browser Standard • HTML4/ECMAScript 5 Compatibility mode to support old applications. • An opt-in safe mode that has a new HTML language, ECMAScript 6, and a new DOM. • The new DOM should look like an Ajax library.
Many popular approaches to security fail. • Security by inconvenience. (TSA) • Security by obscurity. • Security as identity. • Security by vigilance.
Security can fall out of good software design.
Information Hiding Need to know David Parnas On the Criteria to Be Used in Decomposing Systems into Modules. (1972)
Information Hiding Need to know A reference is a capability. Capability Hiding Need to do
There are exactly three ways to obtain a reference in an object capability security system. 1. By Creation. 2. By Construction. 3. By Introduction.
1. By Creation If a function creates an object, it gets a reference to that object.
2. By Construction An object may be endowed by its constructor with references. This can include references in the constructor’s context and inherited references.
3. By Introduction A has a references to B and C. B has no references, so it cannot communicate with A or C C has no references, so it cannot communicate with A or B A C B
3. By Introduction A calls B, passing a reference to C. A C B
3. By Introduction B is now able to communicate with C. A C B It has the capability.
If references can only be obtained by Creation, Construction, or Introduction, then you may have a safe system.
If references can be obtained in any other way, you do not have a safe system.
ECMAScript is being transformed into an Object Capability Language. The browser must be transformed into an Object Capability System.
The Lazy Programmer’s Guide to Secure Computing Marc Stiegler http://www.youtube.com/watch ? v=eL5o4PFuxTY
The Web is important enough to fix. HTML5 does not fix the web. It makes it worse. Reset HTML5 and start over.

Empfohlen

Douglas Crockford - Ajax Security
Douglas Crockford - Ajax SecurityDouglas Crockford - Ajax Security
Douglas Crockford - Ajax Security
Web Directions
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
Rich Helton
 
Test slideshow
Test slideshowTest slideshow
Test slideshow
legacye
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
beched
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in Android
Rich Helton
 
Reflected File Download Vulnerability - Narendra Bhati
Reflected File Download Vulnerability - Narendra BhatiReflected File Download Vulnerability - Narendra Bhati
Reflected File Download Vulnerability - Narendra Bhati
Narendra Bhati
 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 era
Carlo Bonamico
 

Empfohlen

Douglas Crockford - Ajax Security
Douglas Crockford - Ajax SecurityDouglas Crockford - Ajax Security
Douglas Crockford - Ajax Security
Web Directions
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
Rich Helton
 
Test slideshow
Test slideshowTest slideshow
Test slideshow
legacye
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
beched
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in Android
Rich Helton
 
Reflected File Download Vulnerability - Narendra Bhati
Reflected File Download Vulnerability - Narendra BhatiReflected File Download Vulnerability - Narendra Bhati
Reflected File Download Vulnerability - Narendra Bhati
Narendra Bhati
 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 era
Carlo Bonamico
 
Derby con 2014
Derby con 2014Derby con 2014
Derby con 2014
TonikJDK
 
Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You? Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You?
Lumension
 
Security for javascript
Security for javascriptSecurity for javascript
Security for javascript
Hữu Đại
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
drewz lin
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
IMMUNIO
 
Mef 12 step program
Mef 12 step programMef 12 step program
Mef 12 step program
JamesEggers
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
Jack Mannino
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
John Ashmead
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
Behrouz Sadeghipour
 
Insecure Trends in Web 2.0
Insecure Trends in Web 2.0Insecure Trends in Web 2.0
Insecure Trends in Web 2.0
Ferruh Mavituna
 
Community dynamics
Community dynamicsCommunity dynamics
Community dynamics
Dave Neary
 
General Assembly Workshop: Advanced JavaScript
General Assembly Workshop: Advanced JavaScriptGeneral Assembly Workshop: Advanced JavaScript
General Assembly Workshop: Advanced JavaScript
Spike Brehm
 
Advanced JavaScript
Advanced JavaScriptAdvanced JavaScript
Advanced JavaScript
Fu Cheng
 
JavaScript, Beyond the Curly Braces
JavaScript, Beyond the Curly BracesJavaScript, Beyond the Curly Braces
JavaScript, Beyond the Curly Braces
Chicago ALT.NET
 
JavaScript: Advanced Scoping & Other Puzzles
JavaScript: Advanced Scoping & Other PuzzlesJavaScript: Advanced Scoping & Other Puzzles
JavaScript: Advanced Scoping & Other Puzzles
Sencha
 
03 Advanced JavaScript
03 Advanced JavaScript03 Advanced JavaScript
03 Advanced JavaScript
Ynon Perek
 
Advanced Object-Oriented JavaScript
Advanced Object-Oriented JavaScriptAdvanced Object-Oriented JavaScript
Advanced Object-Oriented JavaScript
ecker
 
Advanced Object Oriented JavaScript (prototype, closure, scope, design patterns)
Advanced Object Oriented JavaScript (prototype, closure, scope, design patterns)Advanced Object Oriented JavaScript (prototype, closure, scope, design patterns)
Advanced Object Oriented JavaScript (prototype, closure, scope, design patterns)
raja kvk
 
Advanced Javascript
Advanced JavascriptAdvanced Javascript
Advanced Javascript
Adieu
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
Front End Development | Introduction
Front End Development | IntroductionFront End Development | Introduction
Front End Development | Introduction
JohnTaieb
 
Test slideshow
Test slideshowTest slideshow
Test slideshow
legacye
 

Weitere ähnliche Inhalte

Was ist angesagt?

Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You? Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You?
Lumension
 
Security for javascript
Security for javascriptSecurity for javascript
Security for javascript
Hữu Đại
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
drewz lin
 

Was ist angesagt? (11)

Derby con 2014
Derby con 2014Derby con 2014
Derby con 2014
 
Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You? Adobe Hacked Again: What Does It Mean for You?
Adobe Hacked Again: What Does It Mean for You?
 
Security for javascript
Security for javascriptSecurity for javascript
Security for javascript
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
 
Mef 12 step program
Mef 12 step programMef 12 step program
Mef 12 step program
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
 
Insecure Trends in Web 2.0
Insecure Trends in Web 2.0Insecure Trends in Web 2.0
Insecure Trends in Web 2.0
 
Community dynamics
Community dynamicsCommunity dynamics
Community dynamics
 

Andere mochten auch

General Assembly Workshop: Advanced JavaScript
General Assembly Workshop: Advanced JavaScriptGeneral Assembly Workshop: Advanced JavaScript
General Assembly Workshop: Advanced JavaScript
Spike Brehm
 
03 Advanced JavaScript
03 Advanced JavaScript03 Advanced JavaScript
03 Advanced JavaScript
Ynon Perek
 
Advanced Javascript
Advanced JavascriptAdvanced Javascript
Advanced Javascript
Adieu
 

Andere mochten auch (8)

General Assembly Workshop: Advanced JavaScript
General Assembly Workshop: Advanced JavaScriptGeneral Assembly Workshop: Advanced JavaScript
General Assembly Workshop: Advanced JavaScript
 
Advanced JavaScript
Advanced JavaScriptAdvanced JavaScript
Advanced JavaScript
 
JavaScript, Beyond the Curly Braces
JavaScript, Beyond the Curly BracesJavaScript, Beyond the Curly Braces
JavaScript, Beyond the Curly Braces
 
JavaScript: Advanced Scoping & Other Puzzles
JavaScript: Advanced Scoping & Other PuzzlesJavaScript: Advanced Scoping & Other Puzzles
JavaScript: Advanced Scoping & Other Puzzles
 
03 Advanced JavaScript
03 Advanced JavaScript03 Advanced JavaScript
03 Advanced JavaScript
 
Advanced Object-Oriented JavaScript
Advanced Object-Oriented JavaScriptAdvanced Object-Oriented JavaScript
Advanced Object-Oriented JavaScript
 
Advanced Object Oriented JavaScript (prototype, closure, scope, design patterns)
Advanced Object Oriented JavaScript (prototype, closure, scope, design patterns)Advanced Object Oriented JavaScript (prototype, closure, scope, design patterns)
Advanced Object Oriented JavaScript (prototype, closure, scope, design patterns)
 
Advanced Javascript
Advanced JavascriptAdvanced Javascript
Advanced Javascript
 

Ähnlich wie Douglas - Real JavaScript

Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
Test slideshow
Test slideshowTest slideshow
Test slideshow
legacye
 
Test slideshow
Test slideshowTest slideshow
Test slideshow
legacye
 
Test slideshow
Test slideshowTest slideshow
Test slideshow
legacye
 
CLR_via_CSharp_(Jeffrey_Richter_4th_Edition).pdf
CLR_via_CSharp_(Jeffrey_Richter_4th_Edition).pdfCLR_via_CSharp_(Jeffrey_Richter_4th_Edition).pdf
CLR_via_CSharp_(Jeffrey_Richter_4th_Edition).pdf
ssuserbe139c
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
Minded Security
 
WebAssembly & Zero Trust for Code
WebAssembly & Zero Trust for CodeWebAssembly & Zero Trust for Code
WebAssembly & Zero Trust for Code
All Things Open
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 

Ähnlich wie Douglas - Real JavaScript (20)

Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Front End Development | Introduction
Front End Development | IntroductionFront End Development | Introduction
Front End Development | Introduction
 
Test slideshow
Test slideshowTest slideshow
Test slideshow
 
Test slideshow
Test slideshowTest slideshow
Test slideshow
 
Test slideshow
Test slideshowTest slideshow
Test slideshow
 
Ob Essay
Ob EssayOb Essay
Ob Essay
 
Selecting the Best Javascript Web Framework
Selecting the Best Javascript Web FrameworkSelecting the Best Javascript Web Framework
Selecting the Best Javascript Web Framework
 
Microservice pitfalls
Microservice pitfalls Microservice pitfalls
Microservice pitfalls
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Cisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magicCisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magic
 
Why You Should Use MERN Stack for Startup Apps?
Why You Should Use MERN Stack for Startup Apps?Why You Should Use MERN Stack for Startup Apps?
Why You Should Use MERN Stack for Startup Apps?
 
CLR_via_CSharp_(Jeffrey_Richter_4th_Edition).pdf
CLR_via_CSharp_(Jeffrey_Richter_4th_Edition).pdfCLR_via_CSharp_(Jeffrey_Richter_4th_Edition).pdf
CLR_via_CSharp_(Jeffrey_Richter_4th_Edition).pdf
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
WebAssembly & Zero Trust for Code
WebAssembly & Zero Trust for CodeWebAssembly & Zero Trust for Code
WebAssembly & Zero Trust for Code
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
How to use electron to build multi platform desktop applications
How to use electron to build multi platform desktop applications How to use electron to build multi platform desktop applications
How to use electron to build multi platform desktop applications
 
Web Design World Flickr
Web Design World FlickrWeb Design World Flickr
Web Design World Flickr
 

Mehr von d0nn9n

腾讯大讲堂:62 拇指下的精彩(手机qq交互设计经验分享)
腾讯大讲堂:62 拇指下的精彩(手机qq交互设计经验分享)腾讯大讲堂:62 拇指下的精彩(手机qq交互设计经验分享)
腾讯大讲堂:62 拇指下的精彩(手机qq交互设计经验分享)
d0nn9n
 
腾讯大讲堂:55 企业法律风险防范
腾讯大讲堂:55 企业法律风险防范腾讯大讲堂:55 企业法律风险防范
腾讯大讲堂:55 企业法律风险防范
d0nn9n
 
腾讯大讲堂:56 qzone安全之路
腾讯大讲堂:56 qzone安全之路腾讯大讲堂:56 qzone安全之路
腾讯大讲堂:56 qzone安全之路
d0nn9n
 
腾讯大讲堂:59 数据蕴含商机,挖掘决胜千里
腾讯大讲堂:59 数据蕴含商机,挖掘决胜千里腾讯大讲堂:59 数据蕴含商机,挖掘决胜千里
腾讯大讲堂:59 数据蕴含商机,挖掘决胜千里
d0nn9n
 
腾讯大讲堂:57 超级qq的千万之路
腾讯大讲堂:57 超级qq的千万之路 腾讯大讲堂:57 超级qq的千万之路
腾讯大讲堂:57 超级qq的千万之路
d0nn9n
 
蔡学镛 Rebol漫谈
蔡学镛 Rebol漫谈蔡学镛 Rebol漫谈
蔡学镛 Rebol漫谈
d0nn9n
 
赵泽欣 - 淘宝网前端应用与发展
赵泽欣 - 淘宝网前端应用与发展赵泽欣 - 淘宝网前端应用与发展
赵泽欣 - 淘宝网前端应用与发展
d0nn9n
 
Yanggang wps
Yanggang wpsYanggang wps
Yanggang wps
d0nn9n
 
熊节 - 软件工厂的精益之路
熊节 - 软件工厂的精益之路熊节 - 软件工厂的精益之路
熊节 - 软件工厂的精益之路
d0nn9n
 
谢恩伟 - 微软在云端
谢恩伟 - 微软在云端谢恩伟 - 微软在云端
谢恩伟 - 微软在云端
d0nn9n
 
去哪儿平台技术
去哪儿平台技术去哪儿平台技术
去哪儿平台技术
d0nn9n
 
吴磊 - Silverlight企业级RIA
吴磊 - Silverlight企业级RIA吴磊 - Silverlight企业级RIA
吴磊 - Silverlight企业级RIA
d0nn9n
 
Tom - Scrum
Tom - ScrumTom - Scrum
Tom - Scrum
d0nn9n
 
Tim - FSharp
Tim - FSharpTim - FSharp
Tim - FSharp
d0nn9n
 
Tiger oracle
Tiger oracleTiger oracle
Tiger oracle
d0nn9n
 
Paulking groovy
Paulking groovyPaulking groovy
Paulking groovy
d0nn9n
 
Paulking dlp
Paulking dlpPaulking dlp
Paulking dlp
d0nn9n
 
Patrick jcp
Patrick jcpPatrick jcp
Patrick jcp
d0nn9n
 
Nick twitter
Nick twitterNick twitter
Nick twitter
d0nn9n
 
Marc facebook
Marc facebookMarc facebook
Marc facebook
d0nn9n
 

Mehr von d0nn9n (20)

腾讯大讲堂:62 拇指下的精彩(手机qq交互设计经验分享)
腾讯大讲堂:62 拇指下的精彩(手机qq交互设计经验分享)腾讯大讲堂:62 拇指下的精彩(手机qq交互设计经验分享)
腾讯大讲堂:62 拇指下的精彩(手机qq交互设计经验分享)
 
腾讯大讲堂:55 企业法律风险防范
腾讯大讲堂:55 企业法律风险防范腾讯大讲堂:55 企业法律风险防范
腾讯大讲堂:55 企业法律风险防范
 
腾讯大讲堂:56 qzone安全之路
腾讯大讲堂:56 qzone安全之路腾讯大讲堂:56 qzone安全之路
腾讯大讲堂:56 qzone安全之路
 
腾讯大讲堂:59 数据蕴含商机,挖掘决胜千里
腾讯大讲堂:59 数据蕴含商机,挖掘决胜千里腾讯大讲堂:59 数据蕴含商机,挖掘决胜千里
腾讯大讲堂:59 数据蕴含商机,挖掘决胜千里
 
腾讯大讲堂:57 超级qq的千万之路
腾讯大讲堂:57 超级qq的千万之路 腾讯大讲堂:57 超级qq的千万之路
腾讯大讲堂:57 超级qq的千万之路
 
蔡学镛 Rebol漫谈
蔡学镛 Rebol漫谈蔡学镛 Rebol漫谈
蔡学镛 Rebol漫谈
 
赵泽欣 - 淘宝网前端应用与发展
赵泽欣 - 淘宝网前端应用与发展赵泽欣 - 淘宝网前端应用与发展
赵泽欣 - 淘宝网前端应用与发展
 
Yanggang wps
Yanggang wpsYanggang wps
Yanggang wps
 
熊节 - 软件工厂的精益之路
熊节 - 软件工厂的精益之路熊节 - 软件工厂的精益之路
熊节 - 软件工厂的精益之路
 
谢恩伟 - 微软在云端
谢恩伟 - 微软在云端谢恩伟 - 微软在云端
谢恩伟 - 微软在云端
 
去哪儿平台技术
去哪儿平台技术去哪儿平台技术
去哪儿平台技术
 
吴磊 - Silverlight企业级RIA
吴磊 - Silverlight企业级RIA吴磊 - Silverlight企业级RIA
吴磊 - Silverlight企业级RIA
 
Tom - Scrum
Tom - ScrumTom - Scrum
Tom - Scrum
 
Tim - FSharp
Tim - FSharpTim - FSharp
Tim - FSharp
 
Tiger oracle
Tiger oracleTiger oracle
Tiger oracle
 
Paulking groovy
Paulking groovyPaulking groovy
Paulking groovy
 
Paulking dlp
Paulking dlpPaulking dlp
Paulking dlp
 
Patrick jcp
Patrick jcpPatrick jcp
Patrick jcp
 
Nick twitter
Nick twitterNick twitter
Nick twitter
 
Marc facebook
Marc facebookMarc facebook
Marc facebook
 

Kürzlich hochgeladen

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Kürzlich hochgeladen (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Douglas - Real JavaScript

  • 1. Really. JavaScript. Douglas Crockford Yahoo!
  • 2. The World’s Most Popular Programming Language
  • 3. The World’s Most Popular Programming Language The World’s Most Unpopular Programming Language
  • 4.
  • 5. Java Scheme Self LiveScript
  • 6. Java Scheme Self LiveScript JavaScript
  • 7. Java Scheme Self LiveScript JavaScript ECMAScript
  • 8. The web was a disappointment as an application delivery system. Page replacement too inefficient. Java applets failed. No one believed in JavaScript.
  • 9. The Web Is Dead. The future is not document retrieval. The future is distributed programming.
  • 10. “Another software technology will come along and kill off the Web... And that judgment day will arrive very soon -- in the next two to three years.” George F. Colony Chairman of the Board and CEO Forrester Research, Inc. [2000] http://web.archive.org/web/20001019084041/http://www.forrester.com/ER/Marketing/1,1503,21
  • 12. AJAX! JavaScript gets a second chance.
  • 13. Reasons to Hate JavaScript • It has bad parts. • The DOM is awful. • It isn’t Java, C#, C++, Python, Ruby, … • It didn’t die.
  • 14. There are reasons to like JavaScript It has good parts.
  • 15. JavaScript is a functional language with dynamic objects and familiar syntax.
  • 16. It scales from beginners to masters.
  • 17. JavaScript is especially effective in an event-driven application model.
  • 18. Programs in JavaScript can be significantly smaller than equivalent programs in other languages. But you must learn to think in JavaScript.
  • 19. Beyond the browser • Applications. • Operating Systems. • Databases. • Mobile. • Consumer electronics. • Servers.
  • 20. Can we make JavaScript a better language? The web is difficult to change.
  • 21. The most effective way to make JavaScript a better language is to remove the bad parts. JSLint.com
  • 22. Avoid forms that are difficult to distinguish from errors. JSLint.com
  • 23. Correct the {block scope} problem. New let and const statements to replace var.
  • 24. Better support for variadic functions The arguments array has lots of problems.
  • 25. New syntax is useless if you must support older browsers. New syntax === syntax errors
  • 26. IE6 is fading very slowly. Five years ago I predicted that IE6 would fade away in five years.
  • 27. There are more obsolete copies of IE in use than Opera, Safari, and Chrome combined. IE6 is hanging on because we are allowing it to hang on.
  • 30. A better target for compilation? JavaScript has become the world’s virtual machine.
  • 36. Exciting new features? Readability. Significant efficiency.
  • 37. Security? XSS
  • 38. What can an attacker do if he gets some script into your page?
  • 39. An attacker can request additional scripts from any server in the world. Once it gets a foothold, it can obtain all of the scripts it needs.
  • 40. An attacker can read the document. The attacker can see everything the user sees.
  • 41. An attacker can make requests of your server. Your server cannot detect that the request did not originate with your application.
  • 42. If your server accepts SQL queries, then the attacker gets access to your database. SQL was optimized for SQL Injection Attacks
  • 43. An attacker has control over the display and can request information from the user. The user cannot detect that the request did not originate with your application.
  • 44. An attacker can send information to servers anywhere in the world.
  • 45. The browser does not prevent any of these. Web standards require these weaknesses.
  • 46. The consequences of a successful attack are horrible. Harm to customers. Loss of trust. Legal liabilities.
  • 47. Cross site scripting attacks were invented in 1995. We made no progress on the fundamental problems in 14 years.
  • 48. Why is there XSS? • The web stack is too complicated. Too many languages, each with its own encoding, quoting, commenting, and escapement conventions. Each can be nested inside of the others. Browsers do heroic things to make sense of malformed content. • Template-based web frameworks are optimized for XSS injection.
  • 49. Why is there XSS? • The JavaScript global object gives every scrap of script the same set of powerful capabilities. • As bad as it is at security, the browser is a vast improvement over everything else. • The browser does distinguish between the interests of the user and the interests of the site. • The browser failed to anticipate that there could be additional interests.
  • 50. Fundamentally, XSS is a confusion of interests. It is dangerous and must be corrected now.
  • 51. Solving the XSS problem should be our #1 priority. We cannot tolerate web standards that make things worse.
  • 52. Mashups! A mashup is a self-inflicted XSS attack.
  • 53. Advertising is a mashup. Advertising is a self-inflicted XSS attack.
  • 54. Safe JavaScript Subsets Deny access to the global object and the DOM. Caja. http://code.google.com/p/google- caja/ ADsafe. http://www.ADsafe.org/
  • 55. ECMAScript Fifth Edition Strict December 2009
  • 56. ES5/Strict makes it possible to have static verification of third party code without over-constraining the programming model. The best of both Caja and ADsafe.
  • 57. There is still more work to be done • ES5/Strict cannot protect the page from XSS script injection. • ES5/Strict can protect the page from the widgets, but it cannot protect the widgets from the page. • ES5/Strict is an important step toward a programming model in which multiple interests can cooperate for the user’s benefit without compromising each other or the user.
  • 59. ES5/Strict does not solve the XSS problem. Fixing ECMAScript is a necessary step. But it is also necessary to fix the DOM.
  • 60. The DOM is an awful API. It inflicts tremendous pain on developers. It enables XSS attacks.
  • 61. HTML5 A big step in the wrong direction.
  • 62. How HTML5 makes things worse 1. It is complicated. Complexity is the enemy of security. 2. It gives powerful new capabilities to the attacker, include access to the local database. 3. HTML5 will take a long time to complete. Does a solution to the XSS problem have to wait until HTML6?
  • 63. Reset. • Throw the current HTML5 proposal out and start over. • The new charter makes the timely solution of the XSS problem the highest priority. • The old HTML5 set can be mined for good ideas as long as that does not undermine the prime directive.
  • 64. The Next Browser Standard • HTML4/ECMAScript 5 Compatibility mode to support old applications. • An opt-in safe mode that has a new HTML language, ECMAScript 6, and a new DOM. • The new DOM should look like an Ajax library.
  • 65. Many popular approaches to security fail. • Security by inconvenience. (TSA) • Security by obscurity. • Security as identity. • Security by vigilance.
  • 66. Security can fall out of good software design.
  • 67. Information Hiding Need to know David Parnas On the Criteria to Be Used in Decomposing Systems into Modules. (1972)
  • 68. Information Hiding Need to know A reference is a capability. Capability Hiding Need to do
  • 69. There are exactly three ways to obtain a reference in an object capability security system. 1. By Creation. 2. By Construction. 3. By Introduction.
  • 70. 1. By Creation If a function creates an object, it gets a reference to that object.
  • 71. 2. By Construction An object may be endowed by its constructor with references. This can include references in the constructor’s context and inherited references.
  • 72. 3. By Introduction A has a references to B and C. B has no references, so it cannot communicate with A or C C has no references, so it cannot communicate with A or B A C B
  • 73. 3. By Introduction A calls B, passing a reference to C. A C B
  • 74. 3. By Introduction B is now able to communicate with C. A C B It has the capability.
  • 75. If references can only be obtained by Creation, Construction, or Introduction, then you may have a safe system.
  • 76. If references can be obtained in any other way, you do not have a safe system.
  • 77. ECMAScript is being transformed into an Object Capability Language. The browser must be transformed into an Object Capability System.
  • 78. The Lazy Programmer’s Guide to Secure Computing Marc Stiegler http://www.youtube.com/watch ? v=eL5o4PFuxTY
  • 79. The Web is important enough to fix. HTML5 does not fix the web. It makes it worse. Reset HTML5 and start over.