30 June 2008

Not lovely...

Well, its not often that I have had a bad word to say about Mozilla Firefox. However, for the second time in a week, I now do.

I have been aware of issues with the Mozilla implementation of eval for some time, but the latest exposure was news to me and seemingly many others.

Full details can be found here. There is no reliable way round that I can find as yet so I will continue along the assumption that in the JavaScript world, nothing is safe.

I will still use a module pattern (as I have discussed before in a previous post) and I will still call "private" members private. I will also continue to discourage the use of evil eval.

Douglas Crockford has a few things to say about Firefox in general and had his own comments about this latest issue.

I am deeply disappointed frankly. Firefox 3 ruined my week last week (well, truthfully, Firebug was as much to blame) and now this. I suppose its nice to see that other browser vendors make mistakes!


Neil Mosafi said...

Why is this a problem? I am not including any scripts in my page which someone else wrote, so why do I need to worry about this? The web is not designed for that.

If I do include someone else's scripts in my page, I will host them from my site, so I know what they're doing.

James Norton said...

I am not sure I understand your comment. This is an issue as now there is absolutely no chance of having privately scoped members of an object. Closures are not protected in any way.

This is a client side issue - it does not matter where you host the scripts from. You could even open up Firebug and break the closures.

Neil Mosafi said...

I understand good OO means having a small API etc... but this argument is about security and 'safeness'?

I'm unclear on how you would secure a javascript application from any such sort of attack? As you are delivering the source code directly to the browser, and anyone can just view it, what difference does it make if you are protecting private variables from being read/altered in firebug? What harm could they do outside of the scope of the browser?

I am just unclear on the need for browser security and trying to understand the issues. As long as your services cannot be compromised I can't see the problem, so I am probably missing something.