Is there a safe way to call eval in extension?

[imiaou]

Firefox provide an API called Components.utils.evalInSandbox to
evaluate code snippets in a limited sandbox.
https://developer.mozilla.org/en/Components.utils.evalInSandbox

[PhistucK]

No, but you may suggest this as a feature request.

Generally, for feature requests, you can search crbug.com for an existing issue for this feature request and star it (do not comment on it, it is counterproductive). If you cannot find one, you can file a new issue at new.crbug.com.

☆PhistucK

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To post to this group, send email to chromium-...@chromium.org.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.
For more options, visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.

[imiaou]

OK. I just filed an issue here: http://code.google.com/p/chromium/issues/detail?id=66689

On Dec 13, 3:02 pm, PhistucK <phist...@gmail.com> wrote:
> No, but you may suggest this as a feature request.
> Generally, for feature requests, you can search crbug.com for an existing

> issue for this feature request and star it (do *not* comment on it, it is

> counterproductive). If you cannot find one, you can file a new issue at
> new.crbug.com.
>

> ☆*PhistucK*

>
>
>
>
>
>
>
> On Mon, Dec 13, 2010 at 07:34, imiaou <imi...@gmail.com> wrote:
> > Firefox provide an API called Components.utils.evalInSandbox to
> > evaluate code snippets in a limited sandbox.
> >https://developer.mozilla.org/en/Components.utils.evalInSandbox
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Chromium-extensions" group.

> > To post to this group, send email to chromium-extensi...@chromium.org.

> > To unsubscribe from this group, send email to

> > chromium-extensions+unsubscr...@chromium.org<chromium-extensions%2Bunsubscr...@chromium.org>
> > .

[Arne Roomann-Kurrik]

Wow, I had no idea about that function.  It sounds like a development nightmare:

<script src="prototype.js"></script>

<script>

var s = new Components.utils.Sandbox(url);

var x = Components.utils.evalInSandbox(untrusted_code, s);

if (x == 1) {

/* this code is unsafe; calls x.valueOf() */

}

if (x === 1) {

/* this code is safe */

}

var y = x.y; /* this is unsafe */

var z = sandbox.z; /* unsafe */

if (typeof x == "number") {

/* safe */

}

</script>

If the security on the extension boils down to the developer correctly using === instead of ==, I'm thinking it's probably misused a lot.  You might have a better experience just executing the code in a content script and just making sure your message passing listeners are pretty locked down.

What's the use case you're aiming for, out of curiosity?

~Arne

To post to this group, send email to chromium-...@chromium.org.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.

[imiaou]

Here is my use case:
I have a lot of extensions installed. Most of them have background
page and I think they eat too much of my PC's memory.
I came up an idea to create an independent extension only consists of
a background page, which grants all the permission of extension API.
Now, I can rewrite those extensions by moving their background page's
script to content script.Then sending the source code to background
page and eval it.
The reason I'm doing so is because I want to keep background page
independent. For example, an extension uses context menu to do
something, I write chrome.contextMenus.create in that extension but
not in background.

BTW, I have two other questions:
1. Does my idea work to reduce memory usage?
2. Maybe I can use file writer API instead of eval?

> > <chromium-extensions%2Bunsubscr...@chromium.org<chromium-extensions%252Bunsubscr...@chromium.org>

[Arne Roomann-Kurrik]

I don't think eval()ing code is a good way to prevent memory leaks - if the code has a leak, it'll leak no matter how you call it.  And in the worst case, you'll expose a security hole in your extension.

My suggestion would be just to make sure your background page is as minimal as possible - don't hold a lot of references to variables, since the page persists for so long, that stuff can build up.  

Do as much work in the content script as possible, and then when you need access to a privileged API, use message passing to request the background page to do the operation, and pass the result to the content script.  Also, always call the callback function on an onRequest listener in your background page, even if you don't need to pass data back to the content script, because it'll leak if you don't.  

Finally, use the developer tools profiler to see if you can identify leaks or what's taking up the most amount of memory on the heap.  Here's a video that does a quick walkthrough over what that looks like: http://www.youtube.com/watch?v=OxW1dCjOstE

~Arne

To post to this group, send email to chromium-...@chromium.org.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.

[imiaou]

Thanks for your detail reply. It's very helpful

> > > > <chromium-extensions%2Bunsubscr...@chromium.org<chromium-extensions%252Bunsubscr...@chromium.org>
> > <chromium-extensions%252Bunsubscr...@chromium.org<chromium-extensions%25252Bunsubscr...@chromium.org>