pauljt
commented
10 years ago To begin with, could we just attempt to parse all files? Though it would be good to analyze usage/file scope (ie figure out which js belongs to which page etc)
Closed cr closed 2 years ago
pauljt
commented
10 years ago To begin with, could we just attempt to parse all files? Though it would be good to analyze usage/file scope (ie figure out which js belongs to which page etc)
mozfreddyb
commented
10 years ago You're raising a good point, but let's remember the goal of ScanJS: To help manual reviews. It is not an automated review tool. In the best case all files should get real eyeballs to look at (but see also #9)
pauljt
commented
10 years ago I asked cr to raise this. Even with the goal of manual review I think this is useful e.g.
You can however load whatever files you want manually, so both of these cases are kinda supported in the manual file case. Might be nice to have a bit of automation here, but yeh probably not necessary for the initial release.
On 11 Apr 2014, at 9:58 pm, Frederik notifications@github.com wrote:
You're raising a good point, but let's remember the goal of ScanJS though: A tool to help manual reviews. Not an automated review tool. In the best case all files should get real eyeballs to look at (but see also #9)
— Reply to this email directly or view it on GitHub.
While the vast majority of script files follow the *.js naming scheme, Firefox (OS) happily accepts JavaScript files with arbitrary extensions. To mitigate the most trivial scanner evasion technique, we need to ensure that our scanners detect and handle non-.js JavaScript files correctly, for example by following includes and script tags in HTML files, or by static file analysis on all files inside the archive to find those which the browser correctly parses as JavaScript.