Dealing with infinite loop, blocking errors, alert(""), XSS and other JavaScript annoyances #18
Comments
|
Interesting talk from Pamela Fox of Khan Academy on how they manage ProcessingJS code on their live code editor: (infinite loop, slow programs, hints, content origin policy, etc.) |
juliendorra
changed the title
juliendorra
changed the title
|
Both JS Bin and CodePen have an open source implementation of infinite loop management/stopping: JS Bin's Loop Protect rewrite the JavaScript with timers and test without building an AST. There's an implementation example. It's extracted from the JS Bin code base, which is fully open source. CodePen's Infinite Loop Buster build an AST using Esprima, and then add the checks to the AST, which could be more robust and cover more cases. As Code Pen is not open source, we can only infer that it is the version used on their site. |
XSS is probably not of concern for Paysage, as we have no sessions or user information,
But I tested with alert() and it's hugely annoying, especially as it goes off 60 times per second (in the draw loop) on the Playground.
Infinite loop and other errors that block the tab/browser are also an issue.
Very interesting podcast by CodePen on executing arbitrary javascript :
http://blog.codepen.io/2015/07/07/045-javascript-security/
Some practical implementation tips here:
https://github.com/jsbin/jsbin/wiki/Best-practices-for-building-your-own-live-paste-bin
For alert (and prompt confirm print open) the fix is to redefine windows.alert = function () {} so the function is empty. But there's other sort of popups and modals possible :-( like camera access, geoloc, etc. that we can't access and we would need to clean the code itself…
Content Security Policy would allow us to be sure that (modern) browsers only load codes from trusted servers, while still allowing images to be loaded from anywhere on the web, for example.
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
The text was updated successfully, but these errors were encountered: