JavaScript allows executable code to run on the user's machine without his or her knowledge. Web pages are frequently downloaded through firewalls and run on presumably secured inner company networks.
JavaScript lacks any filesystem access capabilities, except for the FileUpload object which allows the user to select a file to be uploaded to the server.
JavaScript lacks any networking capabilities.
When browsing the Web, you expose this information to any Web site you visit:
Your IP address
Your browser app name and version
The primary purpose of JavaScript security is to prevent scripts from accessing any other information about you besides these basics.
Some capabilities which it is important to deny scripts:
Reading your browser history>
Reading contents of other open windows
Closing windows, except secondary windows opened by the same site
Opening invisible windows which run scripts unbeknownst to the user
Scripts can set the domain property of the document object. A script can then access the contents of other windows loaded from the same domain.
However, any "user-defined" properties (variables set by JavaScript in the Web page) may be accessed by scripts from other domains.
Navigator 4 and up support a security model involving cryptographic signatures. The signatures use public-key encryption to validate that a script originates with a certain principal, e.g.Netscape Communications, Inc. The user can decide whether to grant these scripts the following privilege levels:
UniversalBrowserRead -- can read other windows, History list, etc.
UniversalBrowserWrite -- can alter other windows, capture events from other windows, open offscreen windows or very small windows, etc.
UniversalBrowserAccess -- combination of the above two permissions
UniversalFileAccess -- set the value of a FileUpload object
UniversalSendMail -- send mail in your name
None of this works under IE. Scripts are locked down by default and cannot easily be unlocked.
Netscape provides a signtool for signing scripts, along with some practice certificates. Commercial use requires you to acquire a digital certificate from one of the many digital certificate repository firms such as VeriSign, Inc.