aalemayhu
commented
6 years ago - [x] User should only be able to use the defined API.
- [ ] We should reject all scripts that do malicious things or use private API calls.
Closed aalemayhu closed 6 years ago
aalemayhu
commented
6 years ago aalemayhu
commented
6 years ago aalemayhu
commented
6 years ago So according to Mozilla docs, our eval() usage is dangerous. Quoting them below, for more info check their docs.
eval() is a dangerous function, which executes the code it's passed with the privileges of the caller. If you run eval() with a string that could be affected by a malicious party, you may end up running malicious code on the user's machine with the permissions of your webpage / extension. More importantly, a third-party code can see the scope in which eval() was invoked, which can lead to possible attacks in ways to which the similar Function is not susceptible.
aalemayhu
commented
6 years ago kvernknurren in chat suggested vm2. Eyeballing the README file, it looks good for our use case. Will try it out.
aalemayhu
commented
6 years ago This can be closed when the vm2 branch is merged.