Back to the Web Developer's Journal Main Page
internet.com
side nav bar

Signed Scripts
HOW DID THEY DO THAT???

Find out in:
Amazing HTML



Site Map
Jobs at webdeveloper.com


Check out our Web-based
Discussion Groups:

Check out and join our email-based Mailing Lists for Web developers.


Discussion Groups Book Reviews Software Reviews Download Web Tools

Start creating cool scripts.

Sign In, Please

by Gary Lee

Some people don't want any Tom, Dick, or Mary to have the ability to poke around their computer, so Netscape only allows signed scripts to have special access to your computer. How do you sign scripts?
June 18, 1998

A long time ago, people wanted to use JavaScript on their Web pages to read and write files on the local hard disk, and do a myriad of other nasty little things on the computer the Netscape Web browser was running. Instead of deriding their ancestry (like I would've done), Netscape listened to what customers wanted and introduced this ability in Navigator 4. That is why I am stuck writing dinky little articles for free coffee and washroom privileges, while Netscape is a big, powerful, popular company about to be destroyed by Microsoft.

Step 1: Have a script to sign.

Let's say you have some JavaScript functions in the HEAD of an HTML page that you want signed. Then you can also say you have completed Step 1.

Step 2: Spend money on a certificate.

A certificate is a little file that can be used to identify who you are. You can buy one from a Certificate Authority, like VeriSign, that can be used by anyone on the Net to check who you are. Or, you can buy something like Netscape's Certificate Server to produce certificates valid inside an office Intranet.

If you just want to experiment with signed scripts and do not want to bother with getting a certificate, you can add a little line in your prefs.js file that looks like: 

user_pref("signed.applets.codebase_principal_support", true);

(I don't know where your prefs.js file is on your hard disk. Apparently there's a rumour out there that I can psychically determine the status of people's computers. At least, that is the impression I get from the e-mail I get saying things like "your script doesn't work...do you know why?" The answer "I don't care" usually fixes the problem.)

(On my Linux computer, it's called preferences.js, and located in the .netscape directory of my home directory.)

If you do this, your browser will let non-signed scripts act like signed scripts. When you are done playing around, change the true to false. Immediately. Or you might be very sorry.

If you've modified your prefs.js, you can skip the next step.

Step 3: Download a little signing tool from Netscape and run it.

The signing tool will read a file containing the JavaScript (like the HTML file in Step 1) and a certificate, ponder deep thoughts for a few moments, then "sign" it by spitting out a JAR (Java Archive) file. This file can then by used by a Netscape browser to verify the script has not changed since it was signed, and that it was created by you, or whoever has stolen your certificate.

Now, let us create a script that actually utilizes the extra privileges afforded to signed scripts. 

<SCRIPT LANGUAGE="JavaScript" ARCHIVE="archive.jar" ID="1">
function writeThisFile(str) {    

   var filename = "/home/glee/test"
   
   netscape.security.PrivilegeManager.enablePrivilege
   ("UniversalFileWrite")

   var fos = new java.io.FileOutputStream(filename)
   var pw = new java.io.PrintWriter(fos, true)
   pw.println(str)
   pw.close()
   fos.close()    

   netscape.security.PrivilegeManager.disablePrivilege
   ("UniversalFileWrite")
   } 
</SCRIPT>

This first thing to note is the <SCRIPT> tag. The ARCHIVE attribute points to the JAR file (see Step 3). A unique ID is also needed for each SCRIPT. If there was a second SCRIPT, I might give it an ID of 2. After the signing tool reads the file containing the above JavaScript, it will spit out the corresponding JAR file which you place in the same directory.

The next thing to see is the netscape.security.PrivilegeManager lines at the beginning and end of the function. This privilege request is the reason why this script has to be signed. There are a whole list of privileges you can ask for. You can view them at http://developer.netscape.com/library/documentation/signedobj/targets/index.htm.

Finally, the filling between the privilege requests might look a little odd. It is actually a hybrid of JavaScript and Java. Netscape Navigator 4 has something called LiveConnect, which among other things, allows JavaScript to call Java methods directly. (Pretty nifty.) So, we are using Java's input/output methods to write to a file. The function creates an instance of the FileOutputStream class using the name of the file to be written to, then uses that to create an instance of the PrintWriter class, then uses the println method to write out a string to the file. It might sound convoluted, but that's just how Java works.

Isn't this easy? Probably not. Is this enough information to start creating cool scripts? Probably not. But at least you know you'll have to figure out what privileges are available, delve into Java, download the script signing tool, get a certificate... Try it out, and check the resources below for some more coherent information about signed scripts.

Related Links:





Gary Lee is a co-owner of meep! media inc., an Internet and Intranet consulting company. He is also one of the programmers, and creator of meep! media's first product, meep!Board, a message board system. Gary is the Editor of Web Tech, one of meep! media's online publications.

Back to the Web Developer's Journal
Contact WDJ   •    Suits!   •    Propheads!   •    Ponytails!
Discuss   •    Subscribe   •    Search

Be a Commerce Partner