Signing Javascript

[Colin Clark]

Hi David,

On 28-Nov-08, at 12:45 PM, David Makalsky wrote:

> Do we have a fluid standard for signing javascript?  Does anyone have
> any experience signing javascript?


It's a pretty unusual case to have to deal with signed scripts. In  
general, JavaScript is untrusted code running within the browser  
sandbox. Fluid components have to work within this environment and not  
impose and additional hurdles for the user, so it's never been an issue.

When it comes to working with signed applets across LiveConnect, I've  
really never encountered this issue in the wild, but a few interesting  
tidbits popped up using The Google:

http://jontayler.blogspot.com/2006/08/java-signed-applet-security-insanity.html

If you really want to try signing your JavaScript, I found this old  
article about signing scripts in Firefox. It looks like you'll have to  
distribute your JS code in a JAR file, which is a pretty odd  
deployment profile for JavaScript code. Be sure to test extensively  
across browsers. Hopefully this will help:

http://www.mozilla.org/projects/security/components/signed-scripts.html

As for general feedback about JavaScript development, I'd suggest you  
move your JavaScript code out of onclick handlers in the HTML and into  
your rascal.js file, binding event handlers unobtrusively. A toolkit  
like jQuery will simplify this for you a lot. I'd also suggest you  
keep the functions in rascal.js out of the global namespace to avoid  
collisions. All easy fixes, and there's tons of documentation in the  
Fluid wiki to help you with it:

http://wiki.fluidproject.org/display/fluid/DHTML+Developer+Checklist
http://wiki.fluidproject.org/display/fluid/Fearless+JavaScript+Workshop

Colin

---
Colin Clark
Technical Lead, Fluid Project
Adaptive Technology Resource Centre, University of Toronto
http://fluidproject.org