davidbau
commented
7 years ago IIRC, the idea of using browser crypto is to allow good seeding without flatten. We should figure out how to make this work under browserify if it's not.
Closed mreinstein closed 7 years ago
davidbau
commented
7 years ago IIRC, the idea of using browser crypto is to allow good seeding without flatten. We should figure out how to make this work under browserify if it's not.
mreinstein
commented
7 years ago it definitely works in the browser. I'm pretty sure these are just warning.
I guess my question is, what is flatten doing? is it coming up with a unique "fingerprint" for a seed based on the window object?
davidbau
commented
7 years ago The idea is that if you ask for an auto seed, then it tries to generate a seed that is hard to anticipate.
On a browser with a crypto object, this is done using crypto.getRandomBytes().
But when that is not available, "flatten" does its best to collect as much local entropy as it reasonably can by traversing all visible state up to 3 levels deep in the window object, which captures entropy from the website, user, computer, and browser configuration. Unfortunately, that's slow and touches a lot of global variables including deprecated ones that trigger warnings. But it should not be done on a modern browser.
(Flatten is also used to produce a flat string seed from any non-string you might provide as a seed; but I'd expect to see these warnings in the case where flatten is used on a autoseed.)
mreinstein
commented
7 years ago @davidbau yeah it looks like getRandomValues() has broad support:
http://caniuse.com/#search=getrandomvalues
this might be a great replacement for the flatten() code (though it could be left as a fallback)
mreinstein
commented
7 years ago strange, the issue seems to have gone away. I've tried both your existing module code and my most recent PR and neither seem to trigger the issue. I'll close this for now. If it happens again I'll re-open with more details.
sorry for the noise!
here's what I see:
Here is the specific line that's causing the warnings: https://github.com/davidbau/seedrandom/blob/released/seedrandom.js#L169
I'm not sure why but
flatten()seems to be getting called on the window object. It's iterating over pretty much everything in the entire dom, including some of these deprecated properties.I'm thinking if this could be fixed, it would not only remove the warnings but probably improve performance as I'm sure iterating over everything attached to the window must be somewhat costly.
thoughts?