Closed flipsimon closed 2 years ago
maybe we should add a webxdc manifest key to prevent eval in a strict mode somewhere in the future
also we should sync the CSP rules on all platforms, I mentioned this before, but seemingly nobody noticed.
CC @cyBerta @adbenitez @r10s
great you bring up this topic. in the following, my understanding:
also we should sync the CSP rules on all platforms, I mentioned this before, but seemingly nobody noticed.
CSP is used to restrict parts of a website to avoid XSS and similar attacks. imu, this is not needed for android/ios as there is no "outer" javascript with full/more access as on desktop. not sure of CSP even exists on ios/anroid outside of iframes (which we do no use/need).
instead, ios/android make sure, all data comes from the webxdc's zip (which is the "origin" then)
for eval()
: as we already allow execution of arbitrary code in webxdc's end afaik eval()
runs with the permissions of the caller, it should be fine to just allow that.
but i might have miss a bit here :) @cyBerta, @all please correct me if i am wrong :)
finally, as good practise, we can wait to add that until the missing evcal()
becomes practically and not only a theoretically an issue. @flipsimon are the webxdc's in development where the missing eval()
is an issue?
I see it as another layer of protection, it should be the same over on all platforms that the same things are allowed/disallowed on each platform.
also AFAIK using eval
is bad practice, but i don't care whether we allow it or not.
we can have an list about what should be allowed and not allowed in general, which apis etc. however, as said, if CSP is not used on android/ios, it does not make much sense to create a shared list for exactly that.
also AFAIK using eval is bad practice, but i don't care whether we allow it or not.
i agree. therefore i'd like to have some practcal webxdc in development that need/use eval() or are at least planned.
also AFAIK using
eval
is bad practice, but i don't care whether we allow it or not.
But not if you do webgl stuff. There it's needed. Same with live coding environments. eval is bad practice BESIDES you actually need it :P
The content security policy for webxdc disallows eval which is very common in libraries and functionality that would be required by webxdc. For example, a live coding application for music that uses
Function()
oreval()
on strings would not work. There are also popular numerical computing and graphics libraries which do not work under this restriction.