Extensions & XMLHttpRequest & eval – Oh My

Using eval() to decode JavaScript you downloaded from a remote website in your extension is just plain wrong. It’s not safe! Don’t do it!

Every now and then, an AMO reviewer will send me an email asking me to help an extension developer workaround the situation. Why? Because AMO will not allow add-ons that eva() JavaScript downloaded from a remote website to be moved out of the AMO sandbox. It’s not safe! Using eval() in an extension can give rogue JavaScript chrome privileges – the ability to do pretty much whatever it wants to the computer.

I finally made an MDC article with more details. The short version is:

  • If you’re downloading JSON, use a real JSON decoder, not eval().
  • If you’re downloading real JavaScript, use a JavaScript sandbox, not eval().

4 Comments

  1. Cesar said,

    June 27, 2008 @ 12:57 am

    Thank you Mark. This is exactly the kind of message we want sent out to developers :). I have denied at least 3 addons for this very reason. It is rare, but it happens. Never maliciously of course.

    Do you happen to know any other functions that we should be worried about other than eval()?

  2. Giorgio Maone said,

    June 27, 2008 @ 4:20 am

    Do you happen to know any other functions that we should be worried about other than eval()?

    new Function(someCode) and node.setAttribute("onSomeEvent", someScript) are two which come to mind.
    innerHTML can be worrisome too, depending on the context.

  3. Mark Finkle said,

    June 27, 2008 @ 9:07 am

    Thanks Giorgio

  4. Erwan said,

    July 17, 2008 @ 8:04 pm

    According to the doc on MDC, we can evaluate JSON either using the jsm (that actually does an eval in sandbox), or using the native component. Since the native component is much faster than the jsm, is there any reason to use the jsm or should we all use the native component?

RSS feed for comments on this post