79
Really. JavaScript. Douglas Crockford Yahoo!

Douglas - Real JavaScript

  • Upload
    d0nn9n

  • View
    958

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Douglas - Real JavaScript

Really. JavaScript.

Douglas Crockford

Yahoo!

Page 2: Douglas - Real JavaScript

The World’s Most Popular Programming Language

Page 3: Douglas - Real JavaScript

The World’s Most Popular Programming Language

The World’s Most Unpopular Programming Language

Page 4: Douglas - Real JavaScript
Page 5: Douglas - Real JavaScript

Scheme SelfJava

LiveScript

Page 6: Douglas - Real JavaScript

Scheme SelfJava

LiveScriptJavaScript

Page 7: Douglas - Real JavaScript

Scheme SelfJava

LiveScriptJavaScript

ECMAScript

Page 8: Douglas - Real JavaScript

The web was a disappointment as an

application delivery system.

Page replacement too inefficient.

Java applets failed.

No one believed in JavaScript.

Page 9: Douglas - Real JavaScript

The Web Is Dead.

The future is not document retrieval.

The future is distributed programming.

Page 10: Douglas - Real JavaScript

“Another software technology will come along and kill off the Web... And that judgment day

will arrive very soon -- in the next two to three

years.”

George F. Colony

Chairman of the Board and CEO

Forrester Research, Inc. [2000]http://web.archive.org/web/20001019084041/http://www.forrester.com/ER/Marketing/1,1503,21

4,FF.html

Page 11: Douglas - Real JavaScript

Microsoft abandoned the web.

Page 12: Douglas - Real JavaScript

AJAX!JavaScript gets a second

chance.

Page 13: Douglas - Real JavaScript

Reasons to Hate JavaScript

• It has bad parts.

• The DOM is awful.

• It isn’t Java, C#, C++, Python, Ruby, …

• It didn’t die.

Page 14: Douglas - Real JavaScript

There are reasons to like JavaScript

It has good parts.

Page 15: Douglas - Real JavaScript

JavaScript is a functional language with dynamic

objects and familiar syntax.

Page 16: Douglas - Real JavaScript

It scales from beginners to masters.

Page 17: Douglas - Real JavaScript

JavaScript is especially effective in an event-driven

application model.

Page 18: Douglas - Real JavaScript

Programs in JavaScript can be significantly smaller than

equivalent programs in other languages.

But you must learn to think in JavaScript.

Page 19: Douglas - Real JavaScript

Beyond the browser

• Applications.

• Operating Systems.

• Databases.

• Mobile.

• Consumer electronics.

• Servers.

Page 20: Douglas - Real JavaScript

Can we make JavaScript a better language?

The web is difficult to change.

Page 21: Douglas - Real JavaScript

The most effective way to make JavaScript a better

language is to remove the bad parts.

JSLint.com

Page 22: Douglas - Real JavaScript

Avoid forms that are difficult to distinguish from

errors.

JSLint.com

Page 23: Douglas - Real JavaScript

Correct the {block scope} problem.

New let and const statements to replace var.

Page 24: Douglas - Real JavaScript

Better support for variadic functions

The arguments array has lots of problems.

Page 25: Douglas - Real JavaScript

New syntax is useless if you must support older

browsers.New syntax === syntax errors

Page 26: Douglas - Real JavaScript

IE6 is fading very slowly.

Five years ago I predicted that IE6 would fade away in five

years.

Page 27: Douglas - Real JavaScript

There are more obsolete copies of IE in use than Opera, Safari, and Chrome combined.

IE6 is hanging on because we are allowing it to hang on.

Page 28: Douglas - Real JavaScript

IE6MUSTDIE!

Page 29: Douglas - Real JavaScript

Decimal?

0.1 + 0.2 !== 0.3

Page 30: Douglas - Real JavaScript

A better target for compilation?

JavaScript has become the world’s virtual machine.

Page 31: Douglas - Real JavaScript

An intermediate representation?

Page 32: Douglas - Real JavaScript

Macros?

Page 33: Douglas - Real JavaScript

Threads?

Page 34: Douglas - Real JavaScript

Tail Calls?

return func();

Page 35: Douglas - Real JavaScript

More like _______?

Page 36: Douglas - Real JavaScript

Exciting new features?

Readability.

Significant efficiency.

Page 37: Douglas - Real JavaScript

Security?

XSS

Page 38: Douglas - Real JavaScript

What can an attacker do if he gets some script into

your page?

Page 39: Douglas - Real JavaScript

An attacker can request additional scripts from any

server in the world.

Once it gets a foothold, it can obtain all of the scripts it

needs.

Page 40: Douglas - Real JavaScript

An attacker can read the document.

The attacker can see everything the user sees.

Page 41: Douglas - Real JavaScript

An attacker can make requests of your server.

Your server cannot detect that the request did not originate

with your application.

Page 42: Douglas - Real JavaScript

If your server accepts SQL queries, then the attacker gets

access to your database.

SQL was optimized forSQL Injection Attacks

Page 43: Douglas - Real JavaScript

An attacker has control over the display and can request information from the user.

The user cannot detect that the request did not originate with

your application.

Page 44: Douglas - Real JavaScript

An attacker can send information to servers anywhere in the world.

Page 45: Douglas - Real JavaScript

The browser does not prevent any of these.

Web standards require these weaknesses.

Page 46: Douglas - Real JavaScript

The consequences of a successful attack are horrible.

Harm to customers. Loss of trust.

Legal liabilities.

Page 47: Douglas - Real JavaScript

Cross site scripting attacks were invented in 1995.

We made no progress on the fundamental problems in 14

years.

Page 48: Douglas - Real JavaScript

Why is there XSS?

• The web stack is too complicated.Too many languages, each with its own

encoding, quoting, commenting, and escapement conventions.

Each can be nested inside of the others.

Browsers do heroic things to make sense of malformed content.

• Template-based web frameworks are optimized for XSS injection.

Page 49: Douglas - Real JavaScript

Why is there XSS?

• The JavaScript global object gives every scrap of script the same set of powerful capabilities.

• As bad as it is at security, the browser is a vast improvement over everything else.

• The browser does distinguish between the interests of the user and the interests of the site.

• The browser failed to anticipate that there could be additional interests.

Page 50: Douglas - Real JavaScript

Fundamentally, XSS is a confusion of interests.

It is dangerous and must be corrected now.

Page 51: Douglas - Real JavaScript

Solving the XSS problem should be our #1 priority.

We cannot tolerate web standards that make things

worse.

Page 52: Douglas - Real JavaScript

Mashups!

A mashup is a self-inflicted XSS attack.

Page 53: Douglas - Real JavaScript

Advertising is a mashup.

Advertising is a self-inflicted XSS attack.

Page 54: Douglas - Real JavaScript

Safe JavaScript Subsets

Deny access to the global object and the DOM.

Caja. http://code.google.com/p/google-caja/

ADsafe. http://www.ADsafe.org/

Page 55: Douglas - Real JavaScript

ECMAScript Fifth Edition Strict

December 2009

Page 56: Douglas - Real JavaScript

ES5/Strict makes it possible to have static verification of

third party code without over-constraining the programming model.

The best of both Caja and ADsafe.

Page 57: Douglas - Real JavaScript

There is still more work to be done

• ES5/Strict cannot protect the page from XSS script injection.

• ES5/Strict can protect the page from the widgets, but it cannot protect the widgets from the page.

• ES5/Strict is an important step toward a programming model in which multiple interests can cooperate for the user’s benefit without compromising each other or the user.

Page 58: Douglas - Real JavaScript

IE6MUSTDIE!

Page 59: Douglas - Real JavaScript

ES5/Strict does not solve the XSS problem.

Fixing ECMAScript is a necessary step.

But it is also necessary to fix the DOM.

Page 60: Douglas - Real JavaScript

The DOM is an awful API.

It inflicts tremendous pain on developers.

It enables XSS attacks.

Page 61: Douglas - Real JavaScript

HTML5

A big step in the wrong direction.

Page 62: Douglas - Real JavaScript

How HTML5 makes things worse

1. It is complicated. Complexity is the enemy of security.

2. It gives powerful new capabilities to the attacker, include access to the local database.

3. HTML5 will take a long time to complete. Does a solution to the XSS problem have to wait until HTML6?

Page 63: Douglas - Real JavaScript

Reset.

• Throw the current HTML5 proposal out and start over.

• The new charter makes the timely solution of the XSS problem the highest priority.

• The old HTML5 set can be mined for good ideas as long as that does not undermine the prime directive.

Page 64: Douglas - Real JavaScript

The Next Browser Standard

• HTML4/ECMAScript 5 Compatibility mode to support old applications.

• An opt-in safe mode that has a new HTML language, ECMAScript 6, and a new DOM.

• The new DOM should look like an Ajax library.

Page 65: Douglas - Real JavaScript

Many popular approaches to security fail.

• Security by inconvenience. (TSA)

• Security by obscurity.

• Security as identity.

• Security by vigilance.

Page 66: Douglas - Real JavaScript

Security can fall out of good software design.

Page 67: Douglas - Real JavaScript

Information HidingNeed to know

David ParnasOn the Criteria to Be Used in Decomposing Systems

into Modules. (1972)

Page 68: Douglas - Real JavaScript

Information HidingNeed to know

A reference is a capability.

Capability HidingNeed to do

Page 69: Douglas - Real JavaScript

There are exactly three ways to obtain a reference in an

object capability security system.

1. By Creation.

2. By Construction.

3. By Introduction.

Page 70: Douglas - Real JavaScript

1. By Creation

If a function creates an object, it gets a reference to that

object.

Page 71: Douglas - Real JavaScript

2. By Construction

An object may be endowed by its constructor with references.

This can include references in the constructor’s context and inherited

references.

Page 72: Douglas - Real JavaScript

3. By Introduction

A

BC

A has a references to B and C.B has no references, so it cannot communicate with A or C.C has no references, so it cannot communicate with A or B.

Page 73: Douglas - Real JavaScript

3. By Introduction

A

BC

A calls B, passing a reference to C.

Page 74: Douglas - Real JavaScript

3. By Introduction

A

BC

B is now able to communicate with C.

It has the capability.

Page 75: Douglas - Real JavaScript

If references can only be obtained by Creation,

Construction, or Introduction, then you may have a safe

system.

Page 76: Douglas - Real JavaScript

If references can be obtained in any

other way, you do not have a safe

system.

Page 77: Douglas - Real JavaScript

ECMAScript is being transformed into an Object

Capability Language.

The browser must be transformed into an Object

Capability System.

Page 78: Douglas - Real JavaScript

The Lazy Programmer’s Guide to Secure Computing

Marc Stiegler

http://www.youtube.com/watch?

v=eL5o4PFuxTY

Page 79: Douglas - Real JavaScript

The Web is important

enough to fix.HTML5 does not fix the web.

It makes it worse.

Reset HTML5 and start over.