Hacker News new | past | comments | ask | show | jobs | submit | jedschmidt's comments login

A service worker would work fine; the connection would be instantiated from the SW and each window/worker could communicate with it via navigator.serviceWorker.


That doesn't work because browsers have duration limits on ServiceWorkers:

https://github.com/w3c/ServiceWorker/issues/980#issuecomment...

Also unfortunately Chrome doesn't keep SharedWorker alive after a navigation (Firefox and Safari do):

https://issues.chromium.org/issues/40284712

Hopefully Chrome will fix this eventually, it really makes it hard to build performant MPAs.


In my experience, as long as a controlled window is communicating with the SW, the connection will remain alive.


Instead of adding a non-standard API to opt-out of existing networking functionality, it would be great to see a lower-level networking primitive to unlock these kinds of use cases. I wrote more (with a proof-of-concept) here: https://readable.writable.stream


Fastly has something like this: https://docs.fanout.io/docs/http-streaming


If there's demand for it, would love to look into that.


Appreciate it. Annoyed I can't pull my Apple Card data into Personal Capital.


Not _quite_ arbitrary; the only code run is that generated by lave. Arbitrary code present in functions is parsed, but not run.


But if there is a persistence or network layer involved, when compromised, it could function as an injection vector into the application, right?


Sure, as it could with any part of your app, including wherever your JSON.parse code lives.


But could JSON.parse() fed with malicious data fire off an XMLHttpRequest or delete all of your data?


No. That's the whole point of using JSON.parse() instead of eval(). JSON is defined as a non-executing subset of JavaScipt syntax, one that contains only literal expressions. JSON.parse() will only parse valid JSON.

This is why, for instance, there's no native Date format in JSON. Dates in JavaScript require running a constructor -- new Date() -- so they aren't in JSON.


That would concern me too potentially, though if there isn't one already it should be easy to implement a switch that would turn this part of the behaviour off.

It looks very interesting to me from the point of view of dealing with certain data types better (at all, in fact), and handling circular references.


> it should be easy to implement a switch that would turn this part of the behaviour off

I think it's one of those "easy on the surface, but surprisingly complex" problems.

When you start allowing arbitrary code execution, it's a lot of work to prevent certain "functions" (i mean that in the non-programming way).


I was thinking more along the lines of turning it off at the generation side: only including anything in the persisted state that is safe.

Trying to detect the unsafe parts so they could be turned off after that point would be impossible as you suspect (the task would be constrained by the halting problem, https://en.wikipedia.org/wiki/Halting_problem).


It seems like it theoretically shouldn't be too hard to add the ability to validate that the data is a valid lave output if you're concerned about that. That more or less leaves only the issue of anonymous functions in the data being replaced with malicious functions, but frankly the only reason to be serializing functions is if they're user input, otherwise you should instead be serializing function name/key strings or some other well-defined form of function references and/or arguments.


Any type of code-serialization tool will be vulnerable to injection. This is why use of pickle is often discouraged in Python, in favor of serialization formats which don't deserialize to code. Anything that marks "valid output of the tool" could just as easily be produced by an attacker who uses the tool to serialize their malicious code, and even signing/secret-token systems aren't a guarantee since it's so incredibly easy to build or use them the wrong way.


I meant that your code could parse the supposed lave code before running it to verify that it is limited to the known lave constructs (which does not include arbitrary code execution). It would quite slow but enough to make it somewhat safe against an attacker providing malicious lave code.


If lave generates a well defined sublanguage, I don't think parsing would need to be much slower than parsing JSON. It would just be an extended JSON parser that happens to parse executable JavaScript.


OK, so put a ring on it.

And by ring, I of course mean HMAC.


My original HN submission was clearer, but alas didn't go anywhere: https://news.ycombinator.com/item?id=11185365


Absolutely. The downside of running a full-blown eval() exists in JSON too, it's just that the eval() there is taking place in the reviver function, which requires a lot more coordination than a self-contained file.

As far as efficiency, I'd think for most uses the issue would be on the JSON.parse end. In this case, lave might be more efficient, since JSON reviving often ends up creating temporary objects that need to GC'ed after reification.


Interesting. I'd like to whip up some simple benchmarks tomorrow, and I'll share what I find.

Also, it would be interesting to support other data-types, such as the ones that come with Immutable.js. That would be slick.


I really like the idea of using Google Spreadsheets as a quick and familiar GUI for entry or querying on data sets, as long as you understand the tradeoffs (write latency isn't great and they max out at 400,000 cells).

But this is especially nice when you build a layer on top of Google reduces lock-in, instead of adding another proprietary API. This is what I did with sheet-down[1], which turns a Google Spreadsheet into a LevelDB-compatible data store that can be swapped out with a file system or other compatible backend[2] once you outgrow Google.

[1] https://github.com/jed/sheet-down

[2] https://github.com/rvagg/node-levelup/wiki/Modules#storage


How do you handle type constraints? For example, how do you prevent users from inputing text in to number fields? I know Google Sheets has validators, but I don't know of any way to restrict someone from changing those validations while also providing the ability to input data.

Really curious, because I'd love to use something like this in our app.


My situation is for an intranet environment, so I suppose I could just ask nicely that they don't change validations. But chances are most of my target users aren't familiar enough with Google Spreadsheets to even get that far.


They upped the limit from 400,000 cells - I think it's around 2M now, will try to find the source


I wish `void` would get more love for IIFEs instead of just sitting there in a dark corner of JS, unloved.

    var foo = 'bar'
    var baz = 'bletch'
    
    void function (global) {
      //module pattern code here ...
    })(this)


Almost perfect, but you left an unmatched close parenthesis before the call operator.


Having gotten more accustomed to the VM approach over the past year since I wrote this post, I agree.


Thanks for leaving your Gist up there describing the process, Jed. I do some work in VMs, but still found it very useful.


Hi Jed, I was wondering what your VM box looks like? Any cool tools you would recommend?


Are you sure he was saying "ore"? Given the fact that his grammar is otherwise pretty tight, I wouldn't be surprised if he were instead using "ware".


Grammar & honorifics/formality are two separate subjects. I'm not fluent in Japanese by any stretch of the imagination, but I know the basics of grammar while I know basically nothing about formal speech/informal speech.


Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: