*   the big concern: JavScript allows "executable content" from
    outside courses of varying reputability to be embedded in
    otherwise-static web pages...

    *   this is both blessing --- dynamic pages!
        and curse: what if it does something it shouldn't?

*   some of the means JavaScript uses to reduce possibilities
    for malfeasance...

    *   client-side JavaScript does not provide any way to
        do file input/ouput on the client computer

    *   client-side JavaScript doesn't have networking primitives

        *   BUT: problems can arise when JavaScript is used
            as a "script engine" for other software components ---
            e.g., ActiveX, plugins

    *   JavaScript has a close() method for the Window object ---
        most browsers restrict this so that a script is only
        allowed to close a window opened by a script from the
        same web server

    *   same-origin policy - a script can only read properties of
        windows and documents that have the same origin
        (e.g., loaded from the same host, through the same port,
        using same protocol, etc.)

    *   etc. - see Chapter 21, "JavaScript: the Definitive Guide",
        4th ed.