HotJavaTM Browser Version 3.0 interprets JavaScriptTM code contained within HTML pages. HotJava Browser 3.0 mirrors the Netscape NavigatorTM 3.0 handling of JavaScript, and in most cases this browser can be counted on to handle any script that Netscape Navigator can handle. HotJava Browser also reflects the ECMA Script standard (cited below).
However, several design decisions had to be made which cause HotJava Browser to deviate from the NetscapeTM model. This document outlines and explains those design decisions. It details the instances where HotJava Browser and Netscape Navigator do not behave in the same way. You should look for any topic not covered here in Netscape's JavaScript documentation.
HotJava Browser does not support the following:
The other features of Netscape that are not supported by HotJava Browser can be grouped into three categories:
Intercepting Events
Document events: HotJava Browser does not implement any of the Netscape event capturing, routing, or releasing methods. To do so would require every possible event source to route its events through the JavaScript event hierarchy before processing them normally, which would cause performance problems. Because the Netscape Navigator method of event capturing differs so significantly from the event bubbling in Microsoft Internet Explorer, few web pages use these methods.Image events: Image objects in HotJava Browser have no way to receive keyboard focus (though of course they can handle mouse events). Therefore, despite their appearance in the Netscape JavaScript specification, the key event handlers
onKeyPress,
onKeyDown,
andonKeyUp
have no effect on images in HotJava Browser.Link events: Like Image objects, Link objects cannot receive keyboard focus under HotJava Browser. Therefore, defining key event handlers for them will have no effect.
In addition, the
handleEvent()
method is not implemented for any of the following classes of objects:
- Button
- Checkbox
- Document
- FileUpload
- Form
- Image
- Link
- Password
- Radio
- Reset
- Select
- Submit
- Text
- TextArea
- Window
HotJava Browser Script Security Management
The JavaScript implementation in HotJava Browser adheres strictly and simply to the No Privilege model. Adherence to this policy is a security feature, ensuring that no JavaScript can invade your system via HotJava Browser. HotJava Browser does not acknowledge any security-overriding settings such asUniversalBrowserWrite, UniversalPreferencesRead,
or the like.The JavaScript Security documentation cites three ways security has been managed, which together span Netscape Navigator versions 2.0 through 4.0. HotJava Browser treats each method as follows:
- Same origin policy
HotJava Browser will enforce the same origin policy on all JavaScript it reads. Scripts from one domain (the hostname field of a document's URL, such as java.sun.com) are not permitted to read any information from the objects from any other domain. The same origin policy extends as well to the port through which the script loaded, and to its protocol (http, https, or ftp).
Netscape specifications allow pages within a larger domain to synchronize communication with each other via the
document.domain
property. For example, if pages from www.yahoo.com and quote.yahoo.com wanted to communicate with one another using JavaScript, each page could set itsdocument.domain
property to yahoo.com. This method works in HotJava Browser as well.In all other cases, only scripts of exactly the same origin are permitted to:
- Access the method
window.find()
- Read or write the properties
image.lowsrc
andimage.src
- Read or write all
location
properties exceptx
andy
- Read the
document
propertiesanchors, applets, cookie, domain, elements, embeds, forms, lastModified, length, links, referrer, title, URL, and formName
- Write to any
document
properties
- Data tainting
navigator.taintEnabled
, which was in effect only for Netscape Navigator 3.0 and was then abandoned, always returns false in HotJava Browser. The Navigator 3.0 data-tainting security model is not used in HotJava Browser.
- Signed scripts
HotJava Browser will not allow signed scripts privileges that are ordinarily forbidden for security reasons. In any case where Netscape Navigator would prompt the user, asking whether to grant additional privileges to the currently executing JavaScript, HotJava Browser will simply refuse to grant such permission.
Specifically, HotJava Browser does not permit JavaScripts, whether signed or not, to do the following:
- Read or modify any files on hard disks or other storage media connected to user's computer
- Access History object elements
- Change the value of a FileUpload object
- Use the
about:
URL protocol
- Set any value of an Event object
- Get the
data
property from any DragDrop event (because DragDrop is not supported at all.)
- Read or write with the
preference()
method
- Submit a form to any
mailto:
ornews:
URL
- Open or resize any window to a size of less than 100 x 100 pixels
- Close any browser window without prompting the user, unless the script itself opened it
- Move a window off the screen or resize a window larger than the screen
- Create a window without a title bar
- Add or remove the user interface objects of any browser window (directory bar, location bar, menu bar, tool bar, status bar, scroll bar, personal bar)
- Use the
enableExternalCapture()
method of any window object to capture events in pages that were loaded from other serversNote: HotJava Browser can grant additional privileges to applets that come from signed archives. In some cases where you would want to use signed scripts to relax security, such as to enable file modification and saving, consider using an applet. You may be able to write a Java applet to perform the desired function. Place the applet in a Java archive file along with the necessary digital signature files.
LiveConnect
LiveConnect is the Netscape JavaScript/Java communication mechanism. In Netscape Navigator 4.0, JavaScript functions can call a Java applet's public methods and can get the values of its public members, and Java applets may call JavaScript functions. LiveConnect is documented online in the Netscape JavaScript Guide, Chapter 5.The HotJava Browser implementation of LiveConnect is limited to one direction: JavaScript calls to Java. HotJava Browser does not support Java-to-JavaScript calls in this release because of the security issues this feature opens up and the incompatibilities between the way Netscape Navigator and Microsoft Internet Explorer handle this issue.
<SCRIPT> attributes not implemented:
- FOR (a Microsoft Internet Explorer-only attribute)
- EVENT (a Microsoft Internet Explorer-only attribute)
<SCRIPT> attributes implemented specially:
- LANGUAGE executes all JavaScript and ECMAScript without version numbers as if it were JavaScript 1.4. If the LANGUAGE attribute is absent, JavaScript 1.4 is also assumed. If other LANGUAGE attributes are specified, HotJava Browser handles them as long as they are recognized languages from the following list. <SCRIPT LANGUAGE=""> can only have the following (case-insensitive) values:
- JavaScript (parsed as JavaScript 1.4)
- JavaScript1.n (where n is between 0 and 4)
- ECMAScript (parsed as JavaScript 1.4)
- ECMAScript1.n (where n is between 0 and 4)
- LiveScript (parsed as JavaScript 1.0)
- Mocha (parsed as JavaScript 1.0)
Any other <SCRIPT LANGUAGE=""> value (for example, jscript) will cause the browser to ignore the entire SCRIPT block. Only use the LANGUAGE attribute if you can use a LANGUAGE value from the above list in your code.
- Error reporting: For JavaScript enclosed between <SCRIPT> tags, errors are reported to the Java console with line numbers relative to the whole HTML page, as you would expect. On the other hand, other script references not enclosed by <SCRIPT> tags, such as event handlers, report error line numbers relative to the beginning of the current script (which is usually the event handler itself). In that case, a JavaScript error reported to be found on line 0 refers to the beginning line of the event-handling script, not the top line of the HTML code. An error in a <BUTTON onClick="..."> event handler, for example, will report the error as coming from "onclick", line 0.
Date
- The following Date method bears explanation:
- getYear()
According to at least two external pieces of documentation, getYear() is intended to return a two-digit date for years between 1900 and 1999, and four-digit dates for all other years. However, the implementation in Netscape Navigator 4.0 is to return the current year minus 1900. Because this representation is more consistent and will not cause confusion with very small years (the year 70 A.D. versus 1970 A.D.), HotJava Browser uses this implementation.Be aware, however, that this method is deprecated in favor of the method getFullYear() on the Date object.
Document
- Document methods not implemented:
- captureEvents()
- handleEvent()
- releaseEvents()
- routeEvent()
- Document variables not implemented:
- embeds is an empty array, since the <EMBED> tag is not supported.
- layers is an empty array, since the <LAYER> tag is not supported.
- plugins is an empty array, since HotJava Browser does not support Netscape-style plug-ins.
- Document event handlers not implemented:
- onClick
- onDblClick
- onKeyDown
- onKeyPress
- onKeyUp
- onMouseDown
- onMouseUp
Event
- Event variables not implemented:
- data (from DragDrop events)
- height
- layerX and layerY
- modifiers
- pageX and pageY
- screenX and screenY
- which
- width
- x and y
FileUpload
- The FileUpload.handleEvent() method is not implemented.
Form
- The Form.handleEvent() method is not implemented.
History
- Access to History array elements by their reference numbers is not allowed since it is a privileged operation (for example,
myHistory[3]
will not work).
- History methods that operate on a single History stack for the entire window are implemented. However, there are no separate stacks for each frame as specified in the Netscape JavaScript specification. Thus, the following History methods are implemented for the entire window but not for individual frames:
- back()
- forward()
- go()
- History variables not implemented (all undefined for security reasons):
- current
- next
- previous
Image
- The Image.handleEvent() method is not implemented.
- Image event handlers not implemented:
- onKeyDown
- onKeyPress
- onKeyUp
Layer
HotJava Browser does not support the <LAYER> tag, so Layer objects are also not defined for its JavaScript implementation.
Link
- The Link.handleEvent() method is not implemented.
- Link event handlers not implemented:
- onKeyDown
- onKeyPress
- onKeyUp
Location
- The
hash
Location variable varies from the Netscape specification. Setting thelocation.hash
field does not change its current URL, although the browser will scroll to the named anchor as you would expect. The current URL remains the URL for the entire file. For example, if you set thehash
property to #sec2, the URL remains "http://domain/page.html" and not "http://domain/page.html#sec2". Consequently, clicking the browser's Back button while you are viewing the hashed location will not return you to your original place on the same page, but rather to the previous page in your History list.
MimeType
- The MimeType.enabledPlugin variable is always null, since Netscape type plug-ins are not supported.
Navigator
- Navigator methods:
- plugins.refresh is not operational.
- preference() cannot be read or written for security reasons.
- taintEnabled always returns false.
Plugin
HotJava Browser does not support Netscape-type plug-ins, so Plugin objects are not defined for its JavaScript implementation. The Plugins array on the Navigator object is implemented as an empty array, so that scripts referencing plug-ins will not fail when accessing the property.
Radio
- The Radio.handleEvent() method is not implemented.
Reset
- The Reset.handleEvent() method is not implemented.
Screen
- Screen variables:
- availHeight returns the same value as the height property does, which is the return value from the Java expression
Toolkit.getDefaultToolkit().getScreenSize().height
- availWidth returns the same value as the width property does, which is the return value from the Java expression
Toolkit.getDefaultToolkit().getScreenSize().width
- colorDepth returns the same value as the pixelDepth property does, which is the return value from the Java expression
Toolkit.getDefaultToolkit().getColorModel().getPixelSize()
Select
- The Select.handleEvent() method is not implemented.
Submit
- The Submit.handleEvent() method is not implemented.
Text
- The Text.handleEvent() method is not implemented.
TextArea
- The TextArea.handleEvent() method is not implemented.
Window
- Window methods not implemented:
- captureEvents()
- disableExternalCapture()
- enableExternalCapture()
- find(): as mentioned in the Netscape specification, to avoid ambiguity the find method only works with zero arguments or with both boolean arguments specified; if a single argument is supplied, it will be ignored. However, the HotJava Browser does not support backwards find on a page.
- handleEvent()
- open(): windowfeatures argument choices not supported:
- alwaysLowered
- alwaysRaised
- dependent
- directories
- hotkeys
- resizable
- titlebar
- z-lock
- releaseEvents()
- Window variables:
- scrollbars.visible is always true.
- setting innerHeight or innerWidth values on frame objects will have no effect. (Setting innerHeight or innerWidth on top-level window objects will work as expected.)
- frames array: In line with the published specification, HotJava window.frames contains only the frame objects. Netscape uses the window object itself to contain the elements of the frames array. In other words, in Netscape,
window.frames == window
.
- Window event handlers:
- The
window.ondragdrop
event handler is not implemented, as HotJava Browser does not use drag and drop.
- The
window.onload
event handler fires in a different order than Netscape's during the loading of a frameset. In Netscape, the child frames' onloads complete, then the frameset onload fires. In HotJava Browser, the frameset's onload fires before the child frames' onloads do. HotJava Browser does not use drag and drop.