0

I am currently preparing a talk about Polymer.dart and would like to give a short introduction to dart. There is one question I would like to be prepared for:

Will there be ever a dynamic code injection via <script> for dart?

This article says that there is currently no support for this for a good reason.

However, the currently relativizes the statement a bit and I wonder if there is anything planned in the future to support dynamic code injection?

Randy
  • 1,299
  • 2
  • 10
  • 23
  • This question appears to be off-topic because it is about predicting the future. – Scimonster Oct 19 '14 at 12:29
  • This question is meant to be answerd by the dart team who have written the referenced article. My question is: if there are **now** any plans to implement this in the future. The word _currently_ implies that this might be possible. Since the article is updated a year ago when dart was still beta (or just become 1.0), feel this question is reasonable. – Randy Oct 19 '14 at 15:34
  • The reason why I am asking this question here is because the dart team suggested to ask questions about dart here so that everybody can read them. This is one of the typical questions that come up during a discussion about dart. I am not asking for opinions but for facts. Call them insights, but I am solely interested in facts from the Google Dart Team. – Randy Oct 19 '14 at 15:42

3 Answers3

1

If for example the "eval" command is introduced in Dart, then the answer is YES, Dart is vulnerable to injection attacks. Javascript is in this regard like SQL: it has the same vulnerability than all other dynamically interpreted programming languages (this includes all shell scripts, PHP...), which I call "DATA IS CODE". Such languages have a concrete syntax which is meant for human consumption and their processing entails a first step which is called PARSING: the sequence of characters is broken down into an internal structure which describes the meaning of the expression, in a way which the computer can distinguish the DATA from the INSTRUCTIONS. It is the same problem that lead to the introduction of the NX (No-eXecute) bit on modern CPUs. Functions like "eval" open the door to malicious code to be executed with no constraint. Parsing code at runtime should NEVER be allowed in a secure language. This is why Dart doesn't recomend the use of injections, as explained here: https://www.dartlang.org/articles/embedding-in-html/#no-script-injection-of-dart-code

"No script injection of Dart code We do not currently support or recommend dynamically injecting a tag that loads Dart code. Recent browser security trends, like Content Security Policy, actively prevent this practice."

But google should do more than that, and forbid it entirely, together with the "eval" command.

Emanuele Sabetta
  • 1,571
  • 12
  • 34
0

It is better to direct such questions to your crystal ball ;-)

Google is very reluctant to make statements about such things. There were discussions in the past and they considered it and they might reconsider it eventually.

Currently the only option is to launch new isolates and even this is still work in progress and has still limitations that makes this feature hard to use (no access to the browser API for client isolates for example).

Günter Zöchbauer
  • 623,577
  • 216
  • 2,003
  • 1,567
0

I'm not sure this question can really be answered; as it's probably not been decided.

Based on what's written in that page; I think it's very unlikely (especially as other rules, like one script tag, and a single main entry point).

But as with everything, things can change!

Danny Tuppeny
  • 40,147
  • 24
  • 151
  • 275
  • I am aware that it is not possible to get an answer from the community to this question. However, the authors of the article are also active on stackoverflow and I hope that they can give at least a comment about this _currently_. – Randy Oct 19 '14 at 11:02
  • 1
    From 1.7 release notes: dart2js The deferred loading mechanism now works in the presence of multiple Dart apps on the same page. It looks like you actually can have multiple apps / tags? – Robert Oct 19 '14 at 14:19