Okay, another question: was this always the case, or did security get added/improved?
I don't know... I think it was always the case in theory, but problems have appeared over the years. I'm not well up on all the history, though (but I'd like to be). For example:
Apparently the Nimda worm used Javascript holes, didn't it?
AIUI the JS part of Nimda loaded the rest using window.open("filename-of-evil-stuff"). I think that's a browser problem rather than JS; it's pretty reasonable that JS on one page should be able to tell the browser to go to another page, but the browser shouldn't respond to being given a URL whether by JS or by the user, by just downloading and running anything. At least not without lots and lots of persuading from the user.
(no subject)
I don't know... I think it was always the case in theory, but problems have appeared over the years. I'm not well up on all the history, though (but I'd like to be). For example:
Apparently the Nimda worm used Javascript holes, didn't it?
AIUI the JS part of Nimda loaded the rest using window.open("filename-of-evil-stuff"). I think that's a browser problem rather than JS; it's pretty reasonable that JS on one page should be able to tell the browser to go to another page, but the browser shouldn't respond to being given a URL whether by JS or by the user, by just downloading and running anything. At least not without lots and lots of persuading from the user.