search

deltachat / deltachat-desktop

Email-based instant messaging for Desktop.
GNU General Public License v3.0
898 stars 166 forks source link

unsafe eval is overly strict for webxdc #2568

Closed flipsimon closed 2 years ago

flipsimon commented 2 years ago

The content security policy for webxdc disallows eval which is very common in libraries and functionality that would be required by webxdc. For example, a live coding application for music that uses Function() or eval() on strings would not work. There are also popular numerical computing and graphics libraries which do not work under this restriction.

Simon-Laux commented 2 years ago

maybe we should add a webxdc manifest key to prevent eval in a strict mode somewhere in the future

Simon-Laux commented 2 years ago

also we should sync the CSP rules on all platforms, I mentioned this before, but seemingly nobody noticed.

CC @cyBerta @adbenitez @r10s

r10s commented 2 years ago

great you bring up this topic. in the following, my understanding:

also we should sync the CSP rules on all platforms, I mentioned this before, but seemingly nobody noticed.

CSP is used to restrict parts of a website to avoid XSS and similar attacks. imu, this is not needed for android/ios as there is no "outer" javascript with full/more access as on desktop. not sure of CSP even exists on ios/anroid outside of iframes (which we do no use/need).

instead, ios/android make sure, all data comes from the webxdc's zip (which is the "origin" then)

for eval(): as we already allow execution of arbitrary code in webxdc's end afaik eval() runs with the permissions of the caller, it should be fine to just allow that.

but i might have miss a bit here :) @cyBerta, @all please correct me if i am wrong :)

finally, as good practise, we can wait to add that until the missing evcal() becomes practically and not only a theoretically an issue. @flipsimon are the webxdc's in development where the missing eval() is an issue?

Simon-Laux commented 2 years ago

I see it as another layer of protection, it should be the same over on all platforms that the same things are allowed/disallowed on each platform.

also AFAIK using eval is bad practice, but i don't care whether we allow it or not.

r10s commented 2 years ago

we can have an list about what should be allowed and not allowed in general, which apis etc. however, as said, if CSP is not used on android/ios, it does not make much sense to create a shared list for exactly that.

also AFAIK using eval is bad practice, but i don't care whether we allow it or not.

i agree. therefore i'd like to have some practcal webxdc in development that need/use eval() or are at least planned.

Jikstra commented 2 years ago

also AFAIK using eval is bad practice, but i don't care whether we allow it or not.

But not if you do webgl stuff. There it's needed. Same with live coding environments. eval is bad practice BESIDES you actually need it :P