Why should I allow JavaScript, Java, Flash and plugin execution only for trusted sites?
JavaScript, Java and Flash, even being very different technologies, do have one thing in common: they execute on your computer code coming from a remote site. All the three implement some kind of sandbox model, limiting the activities remote code can perform: e.g., sandboxed code shouldn’t read/write your local hard disk nor interact with the underlying operating system or external applications. Even if the sandboxes were bullet proof (not the case, read below) and even if you or your operating system wrap the whole browser with another sandbox (e.g. IE7+ on Vista or Sandboxie), the mere ability of running sandboxed code inside the browser can be exploited for malicious purposes, e.g. to steal important information you store or enter on the web (credit card numbers, email credentials and so on) or to “impersonate” you, e.g. in fake financial transactions, launching “cloud” attacks like Cross Site Scripting (XSS) or CSRF, with no need for escaping your browser or gaining privileges high
Related Questions
- What versions of Microsoft Visual Studio, .Net, Flex/Flash, JavaScript, Java and PHP are required/supported?
- Do you support JavaScript, AJAX, CSS, frames, iframes, Flash, Silverlight, and/or Java applets for previews?
- Why should I allow JavaScript, Java, Flash and plugin execution only for trusted sites?
