New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dart2js generates javascript that is not compatible with CSP #3436
Comments
Issue #4278 has been merged into this issue. |
Is dart2js considering CSP restrictions? They are coming to the greater web, not just Chome's new package apps. cc @kasperl. |
For now, we only use dynamic code generation to cut down on the generated code size, so it seems like we could support CSP restrictions in a few ways:
For (2), I'm thinking of something along the lines of: function createGetter(field) { return function() { return this[field]; }; } That is likely to make the getters slower (less likely to be candidates for inlining) and to use more memory (they need a context chain), but it seems like something we could measure the impact of pretty easily. |
This comment was originally written by johnle...@google.com The Closure Compiler has a optimization pass that can apply this On Tuesday, August 7, 2012, wrote: |
Added this to the Later milestone. |
This came up again in an Chrome Apps hackathon. |
This comment was originally written by benwells@chromium.org It would be awesome to start experimenting with Chrom apps and Dart. If we could get some sort of workaround in place (even if it is an option in a settings file somewhere) we could start looking at getting the required extension APIs available to dart apps. |
A date to shoot for would be around Oct 29th, we'll run an internal chrome apps hackathon and it would be awesome to use Dart for it. |
This comment was originally written by kaisellgren@gmail.com I don't know how much work it would be to support a flag --csp-compatible that allows you to produce CSP compatible output along with the consequences of that (output size, performance) if you really wanted to. |
Set owner to @floitschG. |
Removed this from the Later milestone. |
Added this to the M2 milestone. |
Removed Priority-Medium label. |
Thanks guys! |
If the purpose of the flag is to ensure CSP compliance, it should be called --csp or something like that. --disallow-unsafe-eval sounds like it might reject a user program ('avoid' would be better than 'disallow') and raises the question of what a safe eval might be, and has no visible connection with CSP. If there is more to CSP compliance than this change, add a flag --csp that enables --avoid-unsafe-eval and whatever else is required to get the job done. |
This comment was originally written by benwells@chromium.org This is great! About the option name, the CSP rule that was being violated was unsafe-eval. If your CSp rule does not include 'unsafe-eval' you can't use eval or new Function (new Function was the problem I encountered). So maybe the flag is correct, but a little confusing. |
The flag name was chosen to match the style of the CSP rules where you either allow or disallow certain constructs. For now, I think the option name is just fine but if we need more at some point, I'd be happy for us to take a look at specifying a bunch of CSP restrictions with just one flag. If it would make people happier, we could also go for --csp-disallow-unsafe-eval as the option name. |
CSP (content security policy) is a new set of restrictions that browsers and authors are beginning to implement. One of the restrictions is disabling "new Function()". I see that dart2js uses "new Function":
$.$defineNativeClass = function(cls, fields, methods) {
var generateGetterSetter = function(field, prototype) {
var len = field.length;
var lastChar = field[len - 1];
var needsGetter = lastChar == '?' || lastChar == '=';
var needsSetter = lastChar == '!' || lastChar == '=';
if (needsGetter || needsSetter) field = field.substring(0, len - 1);
if (needsGetter) {
var getterString = "return this." + field + ";";
prototype["get$" + field] = new Function(getterString);
}
if (needsSetter) {
var setterString = "this." + field + " = v;";
prototype["set$" + field] = new Function("v", setterString);
}
return field;
};
for (var i = 0; i < fields.length; i++) {
generateGetterSetter(fields[i], methods);
}
for (var method in methods) {
$.dynamicFunction(method)[cls] = methods[method];
}
};
More info: https://mikewest.org/2011/10/content-security-policy-a-primer
The text was updated successfully, but these errors were encountered: