Now I’m thinking of implementing eval()-ing of some code, dynamically loaded from server. Any kind of “eval()”ing is not a good idea, actually (especially for security). What comes to mind:
If i do not use SSL or any server-authentication technique it’s so easy to substitute my packages and run any JS code on users machine. Now, when there’s some API for hardware (WebGL) it might (?) be dangerous.
But, on the other and, it makes no sense if I secure that somehow, because if user serfs the net JS code might be simply substituted when browser requests for .js file from server loading the page (from another web-site for example).
So, if I have no important data in my web-app – should I implement any king of server-authentication?
If the page containing the
eval()instruction and the JS source code you are loading dynamically are on the same server, there is probably no decreased security because of this – an attacker could simply replace the page instead of the dynamically loaded code, and achieve the same destructive effect, whether you useeval()or not.eval()ing dynamically loaded code is done all the time in Javascript. For example, when you load HTML through jQuery’s.load(), any JS in it will be extracted andeval()ed automatically.If you need to
eval()something this way, I don’t think you add a security problem (although you may very well be able to avoid using it by changing your architecture.)