Release #4, eval() vs. CSP

Posted: March 9, 2014 in Programming
Tags: , , , , ,

Good day everyone. It looks like spring is coming to Toronto area 🙂

It was a fun release period, did a lot of PRs and hopefully they will be reviewed soon, so I can move on to CSP implementation and testing.

As I was saying in my previous post, there is a huge pre-work needed to get closer to CSP implementation. During my release #4 period I was working on moving inline scripts into separate files and also looking how I can get rid of eval(), because it is prohibited by CSP. Pretty much all the inline scripts were moved into separate files and only review needed.
Goggles.webmaker component is almost ready to implement CSP, only 3 bugs must be merged. (bug980159,bug980160,bug980162, which are under review stage).

Also Thimble.webmaker component in the final stage prior to CSP implementation. These bugs were fixed and waiting for the review: bug979111, bug979642, bug979648, bug979651, bug981357.

At the same time I decided to add to my list popcorn.webmaker component and add CSP to it as well. I filed new bug blocks that should be fixed prior to CSP, and already pushed the PRs.(bug981354 and bug981352).
The other bug here could bring a little bit of difficult. It is replacing eval() in PluginDetect_Flash.js with something else, because CSP doesn’t accept eval(). My suggestion was to replace this: $.isIE=eval("/*@cc_on!@*/!1"); with this $.isIE = JSON.parse("/*@cc_on!@*/!1");, but apparently IE conditional compilation doesn’t work with JSON. Right now I am thinking on other possible solution here. Other than that, popcorn.webmaker is almost ready to implement CSP and this is great as well.

To sum up: I pretty close to the final CSP implementation for several components and hopefully during my next release all the PRs will be reviewed and merged, so I would be able to test thoroughly and push CSP implementation. I think goggles component will be a good start, because it doesn’t use not allowed features (eval() or new function()) and could be implemented with less problems.

Also, I talked to Jon about CSP V 1.1, that I reviewed in my release #3. New version has a lot of nice features and updates. However, we decided that it is still pretty raw and not all browsers support every feature, so maybe in the nearest future some updates would be implemented, but for now it is OK to use V 1.0.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s