Why javascript is a security risk

arrgghh!

arrgghh!

“Embed tags, iframes, forms, flash and Javascripts are banned for security concerns. It would be child’s play for a hacker pull your login cookies if they were allowed.” — drmike on the wordpress.com forum

Use JavaScript code sparingly and carefully. Most JavaScript code libraries on the web provide a number of useful and benign functions that help extend a website’s functionality. However, always keep in mind that many of known security exploits use JavaScript code to perform security breaches on networks or on personal computers, particularly in a Windows environment. If you don’t understand what a JavaScript code does, it’s generally not a good idea to embed it in your site.”(Duke University, Office of Web Services)

Let me explain (for those who don’t already know) why wordpress.com  can’t allow javascript on free hosted blogs on their wpMU (multi-user blogging platform.

Blogs are served from {name}.wordpress.com. The WordPress cookie is delivered to any site that ends in wordpress.com. Any Javascript on the page is legitimately allowed to look up cookies that would be sent to the domain it’s served from.

This means that if you can run Javascript on a hosted WordPress page, you can retrieve the login cookie from another WordPress user, and then pass it to an external site. (Generally by creating an image reference that includes the encoded login cookie.)

This is just a basic part of the underlying technology of the web browser, and it’s required for sites like gmail, Yahoo!, and others to operate.

There are ways a site can avoid this problem (generally by constantly changing the login cookie data with EVERY response, and invalidating the old ones immediately), but they require more horsepower on the backend than the blogging sites are really able to provide, and there’s still usually a small window of opportunity.

This is why Livejournal, WordPress, and most other hosted sites disallow Javascript on their pages. I hope that helps!
Comment by – Morgan Schweers, CyberFOX! September 19, 2006 @ 1:24 pm

Other references that may be of interest:
WordPress.com FAQs
Myspace security measure disables viral spread of widgets
Second Life – Urgent Security Announcement