Early versions of client-side JavaScript were plagued with security problems. In Navigator 2.0, for example, it was possible to write JavaScript code that would automatically steal the email address of any visitor to the page containing the code. More worrisome was the related capability to send email in the visitor's name, without the visitor's knowledge or approval. This was done by defining an HTML form, with a mailto: URL as its ACTION attribute and using POST as the submission method. With this form defined, JavaScript code could then call the form object's submit() method when the page containing the form was first loaded. This would automatically generate mail in the visitor's name to any desired address. The mail would contain the visitor's email address, which could be stolen for use in Internet marketing, for example. Furthermore, by setting appropriate values within the form, this malicious JavaScript code could send a message in the user's name to any email address.
Fortunately, practically all known security issues in JavaScript have been resolved in Navigator 3.0. Furthermore, Navigator 4.0 will implement a completely new security model that promises to make client-side JavaScript even more secure. Chapter 20, JavaScript Security contains a complete discussion of security in client-side JavaScript.
.