Reputation: 145
Can WebSocket be an alternative to a Java applet?
Is it possible use the WebSocket API of JavaScript, to communicate with a native application, on the client side, like an alternative to an applet, which have to access to the file system?
I will communicate with the client side by ws://localhost:xxxx, but I don't know if I could do it.
And If I could, this will be secure. Will I have to take some security considerations?
Upvotes: 3
Views: 1065
Answers (1)
Reputation: 1269
No, you can not install a WebSocket server on a user's machine to replace the functionality of accessing the local filesystem in the same way that Java applets would.
Not without the user actively installing the WebSocket server on their own machine intentionally.
Your biggest problem is that the Javascript client code does not have unrestricted access to the user's filesystem. This is a security feature. This is an important security feature. You can not place arbitrary files on the user's machine in arbitrary places.
After that, Javascript client code also can not start processes on your system, even if it could get a WebSocket server installed in an arbitrary location. Again, this is a critical security feature.
And finally, if your Javascript client code could install and execute arbitrary software on the user's machine, you wouldn't need a WebSocket server for the use case you're looking for right now.
If you were to convince a user to install a WebSocket server on their own machine for your use case, which is to access the user's local filesystem, then you would have major security concerns to take into consideration. Not all filesystems have user and group based read/write/execute permissions... and even then, the user might start the server from within a privileged account.
The browser is designed to implicitly trust the server that it's attached to as far as whatever Javascript it receives. If your user later browses a malicious site which knows about your locally installed WebSocket server, and what commands it might expect, the browser will quite happily allow the malicious server to send any commands to your user's WebSocket server that they wish.
With my strong personal recommendation to respect the sanctity of the user's filesystem and obey the restrictions that browsers place on Javascript clients access to the local machine, if you do decide to try to convince your users to install a local WebSocket server, you must take absolute care to be as security conscious as possible. Validate *all* input, regardless of whether you think an attacker can't possibly generate it, and never blacklist known risks, ONLY whitelist known safe functions.
Remember, if you do anything to expose the user's filesystem to the web, you are pretty much handing the keys to their computer over to anyone who can find the door.
Upvotes: 1
Related Questions
- How can I validate an email address in JavaScript?
- How do I read / convert an InputStream into a String in Java?
- How can I remove a specific item from an array in JavaScript?
- Is Java "pass-by-reference" or "pass-by-value"?
- How do I efficiently iterate over each entry in a Java Map?
- How can I create a memory leak in Java?
- How do I avoid checking for nulls in Java?
- How do I generate random integers within a specific range in Java?
- When to use LinkedList over ArrayList in Java?
- What are the differences between a HashMap and a Hashtable in Java?