I’m using Node.js and Socket.io. I’ve written an application which can send JavaScript snippets from the server and execute them on the client. The JavaScript is sent via Secure WebSocket (WSS), and the client has a listener which will execute any code passed to it via the server.
This short script demonstrates the principle: http://jsfiddle.net/KMURe/ and you can think of the onScript function as the socket listener.
Question
What security protocols can I put in place to make this transaction safe? Would a secure websocket channel make it difficult for a third party to act as a middle man (altering the code before it’s sent to the client)?
Some Use Cases..
- Dynamically assigned distributed computation.
- Browser client can dynamically learn from the server.
- Update browser behavior in unison.
eval(), even if you have legit use, is just dangerous. You shouldavoid using it at all costs.use it with care.However, if it’s really needed, then you can use strict mode via
"use strict"command. Wheneval()is executed in a strict function, the eval’s content will not leak in the immediate scope. The code in an eval will be contained ineval()itself (as if it has it’s own scope). In the demo, try removing the trailingxandeval()will returnundefined.But still, using
eval()is dangerous. It’s better if you find alternatives like JSON with custom string commands that will be parsed client-side.