I started this morning thinking I would write my fourth rant post this week. But I decided to tone this back a bit and see if I could bring some useful discussion and clarity to a problem.
So to throw a little bit of background into this for the uninitiated, Adobe AIR applications come in 2 flavors. The first is that the application is created using a tool (flex builder or flash IDE) that outputs a swf that has all the wonderful stuff you code into it. All written in MXML, and AS3. The alternative is to create your application using HTML and JavaScript. In which case a cute little swf with an HTMLLoader loads up your content and your application is built entirely in HTML and JS.
Obviously these 2 road have different learning curves, but both are intended to let you build desktop applications with tools that are familiar to you.
So the non-rant. JavaScript is a dynamic, interpreted language. So you can construct something as a string and eval it into an actual js object. So at runtime you can construct new objects and alter the behavior of existing ones. This can be a very powerful and very dangerous tool.
Because AIR applications run on the users computer with all the rights and privileges afforded to any other application, these dynamic abilities can pose a very serious threat. An example could be one where the application loads some JavaScript from a remote domain and would use that content to load objects into an application. Think JSON here. If that remote JS was hijacked in some way it could have very serious effects. Things like deleting all the images from a users computer. Or loading up dangerous content. Even something as simple as taking your mild mannered application and turning it into a porn portal.
To help us combat these problems the AIR development team has constructed different security sandboxes that content gets loaded into. Any files that get installed with your application and live in the application resource directory, have full access to all of the air runtime. Any files that are loaded from any other source run in limited contexts and do not have access to the air runtime directly.
The assumption here is that if you installed the scripts with your application they are safe. If you read through the documentation on the secutity, all the examples listed specify that this is to protect you from remote vulnerabilities.
This seems very reasonable to me. Remote content, no AIR runtime. If I want to give that content access to AIR runtime features I expose an API for my application through the sandbox bridge. This makes total sense.
However there is one piece of this security that I have left off. And its the part that brings me the most frustration. In the application security sandbox the AIR developers have limited the functionality of JavaScript by disabling eval. The idea is that because this application sandbox has access to all the AIR api’s that they should not allow dynamic evaluation. They have provided through the use of bridges a way to communicate with the limited sandboxes and allow evaluation, but you can not in the root context.
The result of this is that many/most javascript frameworks which rely on the eval method to execute code, must be run in a security sandbox to function correctly. Even if your application makes no use of any outside content at all, your application functionality has been cut off at the knees and you must work around the security sandboxes. However since any content loaded from a remote source will get loaded into a secure sandbox that has no access to these api’s I really think the whole issue is moot.
I guess it comes down to this. I understand and agree whole heartedly that content loaded from remote sources should not have access to the AIR api’s. But I don’t think that the application security sandbox should have lessened functionality.
I think that in an effort to make sure that AIR doesn’t get used for malicious purposes, they have decided to treat developers like they are incompetent. Its like they are saying “here is a fork, but we don’t trust you not to stick it in the outlet so we are turning the juice to the outlet off. We don’t care if you need the juice for your computer. No juice for you”. Because in the application security sandbox the only thing running is the code you installed with your application.
So what do you think? I’ll be honest I love dynamic languages and I think that this is one of the only reasons I would build something in JS over AS3. Is this something that bothers you? Or do you think they really just have our best interest at heart. I really am curious.