abstract ;;Quote: remotely-loaded code may have security flaws. For example, Java has many security flaws such as covert channels and lacking a formal security policy

190 ;;Quote: remotely-loaded code should limit access to the file system, CPU, network, graphics display, and internal state

190+;;Quote: a language for remotely-loaded code should have a safe type system, garbage-collection, and carefully managed system calls

191 ;;Quote: a covariant rule for subtyping arrays requires a run time type check for array stores; otherwise can copy a larger element into a smaller element

192 ;;Quote: a Java applet can busy-wait, allocate unbounded amounts of memory, or lock critical pieces of the browser

196 ;;Quote: without a formal semantics or a formal type system, can not reason about Java or the security properties of its libraries

197 ;;Quote: type checking normally occurs with the abstract syntax tree; allows context, type correctness of subexpressions, and one type rule per construct

197+;;Quote: a bytecode verifier must show that all possible execution paths have the same virtual machine configuration; complicates type checking

199 ;;Quote: a teleconferencing applet needs the same access rights as a bugged phone; need a unforgeable capability and an explicit "push to talk"

199 ;;Quote: applets should request capabilities when first loaded with a digital signature to thwart spoofing attacks; otherwise users will disable security checks

199 ;;Quote: an untrusted applet can use a trusted dialog box to gain access to files and other system resources

199 ;;Quote: use natural interfaces instead of security dialogs, e.g., 'Paste to Applet'. Keep the user in control