You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

Important Terms in JavaScript Security

A certificate is the public key of a key-pair, combined with information identifying the key's owner and signed by the private key of a certificate authority. The signature of the certificate authority provides some guarantee that the public key in the certificate corresponds to the ownership information. A certificate is the online equivalent of an ID card: it can be used to sign files, and to verify the origin of a signed file.
By using a certificate, a developer can sign a web page and its associated code. A signing program, like Netscape's SignTool first compresses the files to be signed. The program uses the user's certificate to generate a signature unique to the user and the signed files. This signature is included with the files in a JAR file. If the contents of the JAR file are modified after signing, the user's browser will be able to tell, and the signature will be invalid.
JAR file
JAR (for Java Archive) is a format for associating digital signatures, security information, or other meta-data with a file or group of files. It is based on the common zip file format. The MIME-type application/java-archive is associated with jar files.

In Mozilla, JAR files are accessed using the following URL format:


where capsapp.jar is the archive file, and getprefs.html is the desired file within capsapp.jar

A privilege (sometimes referred to as a "capability") is a special identifier which gives scripts an enhanced level of access to a user's computer. Because of the potential damage (either malicious or accidental) a script with privileges can inflict on a user's computer, Mozilla requires scripts requesting extended privileges to be signed with a valid certificate. Signing identifies the entity responsible for the script, and provides evidence of any modification to the script after signing.
Certificate Authority

A certificate authority (CA) is an organization that creates and signs certificates. Charge usually varies with use. Personal certificates, often used for signing e-mail, can be as low as $19.95/year, while developer certificates can be as expensive as $695/year or more. Other sites allow users to register certificates for free. CAs provide certificates not only for signing email and scripts, but also for SSL servers and legal documents.

Some CA's (from

BelSign (P) (F)
Ident Trust (P) (P)
Equifax Secure (P)
GlobalSign (P)
Inter Clear (P)
Texstar Technologies Inc. (P)
Thawte Digital Certificate Services (F)
The USERTRUST Network (P)
VeriSign (P)

P - Site charges for certificats. F - Site has free certificates available (usually only for personal use).