advertisement -- please support sponsors

security:
reading and writing files

Can JavaScript access files?

No -- and yes. Part of the design criteria for JavaScript is that malicious web programmers will not be able to gain access to security-sensitive resources on the client's machine. This of course, requires that JavaScript not be able to access the client's file system.

There is one important exception, however. When a web server responds to a request for a document, it may send, packaged together with the document, a small file called a "cookie." If cookie caching has been enabled on the client's browser, then that cookie will be saved in a special directory on the client's hard drive. Later, when the user decides to return to the web site from which the cookie originated, the cookie will be automatically sent in conjunction with the HTTP request. Thus, the server is able to store, on the client's machine, persistent "state information" about the user's recent activity on the remote web site.

JavaScript has functions which enable access to these cookies -- but only to cookies which have originated from the same web site. It can store them, modify them, and even delete them. Thus, JavaScript truly can access files on a client's hard drive, but only in a limited, non-threatening manner.

Further information on cookies and how to access them via JavaScript can be found on Netscape Communication's web site at

http://www.netscape.com/newsref/std/cookie_spec.html .

Charlton Rose
9/23/96