Douglas - Real JavaScript

  • View
    948

  • Download
    0

Embed Size (px)

Transcript

  • 1.Really. JavaScript.Douglas CrockfordYahoo!

2. The Worlds Most PopularProgramming Language 3. The Worlds Most Popular Programming LanguageThe Worlds Most UnpopularProgramming Language 4. JavaSchemeSelf LiveScript 5. JavaSchemeSelf LiveScriptJavaScript 6. Java Scheme Self LiveScriptJavaScriptECMAScript 7. The web was a disappointment as an application delivery system.Page replacement tooinefficient.Java applets failed. No one believed in JavaScript. 8. The Web Is Dead. The future is not document retrieval. The future is distributed programming. 9. Another software technology will come along and kill off the Web... And that judgment day will arrive very soon -- in the next two to threeyears. George F. ColonyChairman of the Board andCEO Forrester Research, Inc. [2000] http://web.archive.org/web/20001019084041/http://www.forrester.com/ER/Marketing/1,1503,21 10. Microsoft abandoned the web. 11. AJAX! JavaScript gets a second chance. 12. Reasons to Hate JavaScript It has bad parts. The DOM is awful. It isnt Java, C#, C++, Python, Ruby, It didnt die. 13. There are reasons to likeJavaScript It has good parts. 14. JavaScript is a functional language with dynamic objects and familiar syntax. 15. It scales from beginners tomasters. 16. JavaScript is especially effective in an event-drivenapplication model. 17. Programs in JavaScript can be significantly smaller than equivalent programs in other languages. But you must learn to think in JavaScript. 18. Beyond the browser Applications. Operating Systems. Databases. Mobile. Consumer electronics. Servers. 19. Can we make JavaScript a better language? The web is difficult to change. 20. The most effective way tomake JavaScript a better language is to remove thebad parts.JSLint.com 21. Avoid forms that are difficult to distinguish from errors.JSLint.com 22. Correct the {block scope} problem. New let and const statementsto replace var. 23. Better support for variadicfunctions The arguments array has lotsof problems. 24. New syntax is useless if youmust support older browsers. New syntax === syntax errors 25. IE6 is fading very slowly. Five years ago I predicted thatIE6 would fade away in five years. 26. There are more obsolete copies of IE in use than Opera, Safari, and Chrome combined. IE6 is hanging on because weare allowing it to hang on. 27. IE6 MUST DIE! 28. Decimal? 0.1 + 0.2 !== 0.3 29. A better target for compilation? JavaScript has become theworlds virtual machine. 30. An intermediate representation? 31. Macros? 32. Threads? 33. Tail Calls? return func(); 34. More like _______? 35. Exciting new features?Readability.Significant efficiency. 36. Security? XSS 37. What can an attacker do ifhe gets some script intoyour page? 38. An attacker can request additional scripts from anyserver in the world.Once it gets a foothold, it canobtain all of the scripts itneeds. 39. An attacker can read thedocument. The attacker can see everythingthe user sees. 40. An attacker can make requests of your server. Your server cannot detect thatthe request did not originatewith your application. 41. If your server accepts SQL queries, then the attacker getsaccess to your database.SQL was optimized forSQL Injection Attacks 42. An attacker has control over the display and can requestinformation from the user. The user cannot detect that the request did not originate with your application. 43. An attacker can send information to servers anywhere in the world. 44. The browser does not prevent any of these. Web standards require theseweaknesses. 45. The consequences of a successful attack are horrible.Harm to customers.Loss of trust. Legal liabilities. 46. Cross site scripting attacks were invented in 1995. We made no progress on thefundamental problems in 14 years. 47. Why is there XSS? The web stack is too complicated. Too many languages, each with its ownencoding, quoting, commenting, andescapement conventions. Each can be nested inside of the others. Browsers do heroic things to make sense ofmalformed content. Template-based web frameworks are optimized for XSS injection. 48. Why is there XSS? The JavaScript global object gives every scrap of script the same set of powerful capabilities. As bad as it is at security, the browser is a vast improvement over everything else. The browser does distinguish between the interests of the user and the interests of the site. The browser failed to anticipate that there could be additional interests. 49. Fundamentally, XSS is aconfusion of interests.It is dangerous and must becorrected now. 50. Solving the XSS problem should be our #1 priority. We cannot tolerate web standards that make things worse. 51. Mashups!A mashup is a self-inflicted XSSattack. 52. Advertising is a mashup. Advertising is a self-inflicted XSS attack. 53. Safe JavaScript Subsets Deny access to the global object and the DOM.Caja. http://code.google.com/p/google- caja/ ADsafe. http://www.ADsafe.org/ 54. ECMAScript Fifth Edition StrictDecember 2009 55. ES5/Strict makes it possible to have static verification of third party code withoutover-constraining the programming model. The best of both Caja andADsafe. 56. There is still more work to be done ES5/Strict cannot protect the page from XSS script injection. ES5/Strict can protect the page from the widgets, but it cannot protect the widgets from the page. ES5/Strict is an important step toward a programming model in which multiple interests can cooperate for the users benefit without compromising each other or the user. 57. IE6 MUST DIE! 58. ES5/Strict does not solvethe XSS problem. Fixing ECMAScript is a necessary step. But it is also necessary to fix theDOM. 59. The DOM is an awful API. It inflicts tremendous pain ondevelopers. It enables XSS attacks. 60. HTML5A big step in the wrongdirection. 61. How HTML5 makes things worse 1. It is complicated. Complexity is theenemy of security. 2. It gives powerful new capabilities tothe attacker, include access to thelocal database. 3. HTML5 will take a long time tocomplete. Does a solution to the XSSproblem have to wait until HTML6? 62. Reset. Throw the current HTML5 proposal out and start over. The new charter makes the timely solution of the XSS problem the highest priority. The old HTML5 set can be mined for good ideas as long as that does not undermine the prime directive. 63. The Next Browser Standard HTML4/ECMAScript 5 Compatibility mode to support old applications. An opt-in safe mode that has a new HTML language, ECMAScript 6, and a new DOM. The new DOM should look like an Ajax library. 64. Many popular approaches tosecurity fail. Security by inconvenience. (TSA) Security by obscurity. Security as identity. Security by vigilance. 65. Security can fall out of good software design. 66. Information Hiding Need to know David Parnas On the Criteria to Be Used in Decomposing Systemsinto Modules. (1972) 67. Information Hiding Need to knowA reference is a capability.Capability Hiding Need to do 68. There are exactly three waysto obtain a reference in an object capability security system. 1. By Creation. 2. By Construction. 3. By Introduction. 69. 1. By CreationIf a function creates an object,it gets a reference to that object. 70. 2. By Construction An object may be endowed by its constructor with references.This can include references in the constructors context and inheritedreferences. 71. 3. By Introduction A has a references to B and C. B has no references, so it cannot communicate with A or C C has no references, so it cannot communicate with A or BA C B 72. 3. By IntroductionA calls B, passing a reference to C.A C B 73. 3. By IntroductionB is now able to communicate with C. ACB It has the capability. 74. If references can only beobtained by Creation, Construction, or Introduction, then you may have a safesystem. 75. If references can beobtained in anyother way, you donot have a safesystem. 76. ECMAScript is being transformed into an ObjectCapability Language. The browser must betransformed into an ObjectCapability System. 77. The Lazy Programmers Guide to Secure Computing Marc Stieglerhttp://www.youtube.com/watch?v=eL5o4PFuxTY 78. The Web isimportantenough to fix. HTML5 does not fix the web.It makes it worse. Reset HTML5 and start over.