fddsf fddsf - 4 months ago 26
Javascript Question

Why can't JavaScript send commands to the OS level?

If HTML, CSS, and JavaScript are processed by the user's computer, why can't JavaScript send commands to the OS level? I know if this happened, hackers could exploit a lot of computers but what prevents it from happening?


Simple answer : its the browser, you see browser is like any other program on your computer given enough permissions it can do whatever it wants to through system calls.It can access your hard drive (and not just simple filesystem i mean block/sector level access) reading/deleting whatever it wishes it can even read/edit your MBR!.Other fun stuff like ejecting CD tray/ put os to shutdown or sleep/ formatting your drives xD / infinite nag screens/ disabling network adapters/ and other crazy cool stuff you can imagine all can be done if browser makers wish to expose those functionality through javascript, for eg. if microsoft in some distant future were to expose some system API through system object much analogous to the window object in current javascript spec. .You write a script like this one <script>system.ejectDrive['cd']</script> , browser may translate in into actuall winapi call mciSendCommand(mPar.wDeviceID, MCI_SET, MCI_SET_DOOR_OPEN, 0); and bingo ! its cool but what if a hacked ebay server sent you code for wiping your D:\ drive clean?.Now you can imagine why browser makers take security so seriously.