1. Field of the Invention
The present invention relates generally to granting access between computers, and more specifically to providing a way to authenticate the source of browser-supported scripts to screen out malicious instructions.
2. Description of the Related Art
A Web browser is a software application that enables a user to display and interact with markup language documents, for example, hypertext markup language (HTML) documents, hosted by Web servers or held in a file system. Popular browsers include Opera™, Mozilla™ Firefox and Microsoft® Internet Explorer (Opera is a trademark of Opera Software AS, Mozilla is a trademark of Netscape Communications Corporation, Microsoft is a trademark of Microsoft Corporation.
Browsers are directed to connecting data through displaying highlighted text and graphics that provide references to additional content, such as markup language documents. The ability to externally reference data provides an excellent way to augment, what might otherwise be referred to with difficult to locate footnotes.
In order to better extend the versatility of browsers, browser creators built in support to handle instructions. Some browsers support ‘scripting languages’. A scripting language is a language that may be embedded within a markup language file. Such languages are often visible when a user operates a ‘show source’ function, common in most modern browsers. A browser that supports a scripting language is a script supporting browser. Some examples of scripting include JavaScript™ and Visual Basic® development system (JavaScript is a trademark of Sun Microsystems, Inc., Visual Basic is a trademark of Microsoft Corporation.
A script that is read or opened by a browser may provide instructions to the computer that supports the browser. The computer executes these instructions. Sometimes, the markup language document instructs the computer immediately execute the script upon rendering the document.
Some computers may support a browser that in addition to supporting scripting, may permit a script to access various functionality of the operating system. The functionality includes, for example, permitting disk operating system commands of a script to execute on the local machine that supports the browser. Unless some security or authentication is interposed on such computers, it may be possible for a file or markup document present on a browser to execute hostile commands. These hostile commands include, for example, executing a command “command/c del *.*” in an old disk operating system (DOS), which may cause all files in the current directory to delete.
Some browser vendors provide an arbitrary command function that gives, for example, power to execute file reads, file writes, and file creates on the client computer. Moreover, a potential is present that by expanding capabilities as described, a Web page having scripts in a child window may access the script of the parent window. In that situation, the scripts assume the authority of the parent window. In this case, a child window is a window that is opened by a parent window, for example, by a user mouse clicking on a hypertext reference of the parent window. In this situation, a malicious code may be found at a child window, or perhaps a child of a child window. Malicious code or a malicious script becomes associated with a child window when a client browser renders a Web page from an unknown Web host. When the browser renders the Web page, the browser opens a child window. The script of the Web page may instruct the client browser to execute the malicious code on opening the child window for displaying the Web page. Since each window inherits the context of the parent, each child may execute scripting functions of the ancestor that exist one or more levels prior to the malicious child window.
A function can be a powerful function because the function is able to access information. It may be hazardous to permit an unknown Web host having an unknown Web page to execute an unknown script accessing a powerful function from a trusted Web host. Some of the risk may be eliminated by authenticating the unknown script with known correct criteria, such as read-only properties set by a client browser upon rendering a window.
Powerful functions include functions that access, create, modify or delete files on a local client browser. A file may include data stored to volatile memory. It may be acceptable to allow a trusted Web host to provide instructions to execute powerful functions. It may be unwise to permit unknown Web hosts to provide instructions to execute powerful functions. A particularly harmful powerful function is “command/c del *.*”, which deletes all files in a local client browser's current directory.
String matching is a well known technique to confirm that a password transmitted by an unknown person or agent is valid as compared with a host computer that has a known correct password. Since some operating systems may vary in the character interpretation and storage of a carriage return, also known as an enter, it is known to replace the various character interpretations with a uniform character, especially where a string of characters is identical to a known correct password, but for the interpretation of the carriage return. The process of converting peculiar character interpretations to a common and uniform character is known as homogenizing a string, or simply homogenizing.
An object constructor is a software program that creates an object that includes methods and data or instance fields. Every object has certain properties. For example, properties include a space allocated in a computer to store the methods and instance fields. In the JavaScript language, a computer that executes JavaScript code reserved word ‘function’ creates an object having a name. A software developer usually selects the name to be meaningful. In some specialized circumstances, it is better to have an object without a name. In these instances, a software developer may use the JavaScript reserved word ‘Function’, which is distinguishable from ‘function’ by the capital letter. The ‘Function’ is a function object constructor, which describes how to create an object when invoked by a JavaScript supporting browser, among other things.
Read-only properties are those properties associated with an object that remain unchanged during the period that an object exists. As has been noted, an object may be constructed when invoked. Similarly, an object may be destructed, wherein the memory allocated to the object is released to another program for the other program's use. For example, the memory may be released to the operating system. Destructing the object does not require overwriting the memory where aspects of the object were stored. When destructed, an object no longer exists. Window read-only properties include a reference to the beginning of memory where a window object is stored, among other things.