You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@weex.apache.org by 申远 <sh...@gmail.com> on 2020/03/02 15:33:02 UTC
Re: Is there a global Object in SandBox mode?
Well, It seems like you could use broadcastChannel [1] to send message (not
callback) among pages. If this is not enough, you have to use low level C++
api to implement it by yourself, which is hard to write and not encouraged.
A message among pages is not enough in your case? I'd like to here the
detail.
FYI: Apache Weex excludes global JS object for security reasons. A
malicious hacker could inject a JS snippet containing dangerous function
just by loading his URL in Weex. If global JS object is supported, it's
very easy for you to excute the JS function provided by malicious hacker in
your page. That's reason we design Sandbox. And I'd encourage every
developer keeping if for security reason.
[1] https://weex.apache.org/zh/docs/api/broadcast-channel.html
Best Regards,
YorkShen
申远
黄天宁 <zs...@gmail.com> 于2020年2月28日周五 上午10:17写道:
> OK, i get it. Thanks!
> But it is a shame. Both ways are not enough for me. (first is not
> suitable,second can not save JS callbacks in Native)
> I want a global object in JS, none of Native business.
> I use a way like Eventbus for communication between neighbour pages
> instead.
>
> Before Sandbox,I realize an api for *neighbour pages*:
>
> pagaA push to pagaB witch a *callback((v)=>{})* and *increased pushId*,
> pushId && callback both saved in *global* *Date().$CALLBACKS/*
> *Date().$PUSHID.*
> pageB get *pushId* from params. When pageB *pop(v)*, *search callback by
> pushId* in global Date().$CALLBACKS.Then inoke *callbakc(v).*
>
> It is a very useful api , and the scene is frequent in business
> for neighbour pages, which need pageA invoke callback after back from
> pageB with params.
>
> By the way,I find a terrible bug in Jsfm in Android。And i try to find the
> reason and solve it
> When the type of *inputValue * is *number,*, which *bind with* Component
> <input> *property value*。*Precision problem* will happen to* inputValue* .
> For example, input 2.5 will show 2.50000, if change *inputValue* to
> *string*,
> the error disappear.
> The behaviour in IOS is all right.
>
>
> 申远 <sh...@gmail.com> 于2020年2月27日周四 下午5:49写道:
>
> > The answer is no, and you should never consider using Weex without
> sandbox.
> >
> > You could however,
> > 1. use boradcastChannel [1] for communication between pages
> > 2. or use JS service [2] for vendor.js, which is very similar to global
> > object.
> >
> > [1] https://weex.apache.org/zh/docs/api/broadcast-channel.html
> > [2] https://weex.apache.org/zh/docs/api/js-service.html
> >
> > Best Regards,
> > YorkShen
> >
> > 申远
> >
> >
> > 黄天宁 <zs...@gmail.com> 于2020年2月25日周二 下午4:16写道:
> >
> > > Dear devs:
> > > I'm sorry to disturb you about a question about SandBox in both
> > > aos/ios.
> > > In some case, developer need a global Object to save/share
> something
> > > for different pages with JS callback,which can not save to Native
> > > SharedPreference.
> > > *1.In sandBox mode, is there a global Object for mounting?*(It
> looks
> > > none, from the doc on website :
> > > *In particular, the Vue variable are different in each pages, and
> even
> > > the "global" config of Vue (Vue.config.xxx) only affect the single page
> > on
> > > Weex.*
> > >
> > > Android SDK can switch to *unuse sandbox mode*, but IOS SDK looks
> > > none.
> > > *2.IOS is not just like Android,which is without the selection
> > > of isSandBox.*
> > > Little understand in C++ sandBox. If you have free time,give me
> some
> > > pointers,plz.
> > >
> > > Thanks!
> > >
> >
>
Re: Is there a global Object in SandBox mode?
Posted by 申远 <sh...@gmail.com>.
1. If the global variables were allowed, then attackers could even replace
the default implementation of string/array or anything eles you can image,
then inject it to the global environment, you would be attacked by simply
using array in your js bundle. Encoding/Decoding JS is not helpful here.
2. You probably could solve the problem in a different way. The
navigator.push() in Weex didn't support any parameters, but you can
implement your own navigator modules that supports parameters,
1. Create an API like *nav2.push(argsA) *, *nav2.pop(argsB).*
2. Implement it in Java Code. You coud always execute a JS code in Java
by calling execJS()
3. Just invoke nav2 in your JS code.
Actually, you could make the implementation of navigator in Weex better,
and I am happy to review and merge your code.
Best Regards,
YorkShen
申远
黄天宁 <zs...@gmail.com> 于2020年3月3日周二 上午9:43写道:
> Yeah,i get your mean(For security, i encode js bundle with XXTEA in OSS,
> and download/decode js bundle before SDKManager.render() )。
> And in fact,broadcastChannel is content with the need of business.
> But it not *the best/most easy way to deal with neighbour pages*,especially
> the second page will back to the first page with a obj param。(such as:bank
> detail page(click the bank) => bank list page(choose a bank) = > back to
> bank detail page(with bank info param))
>
> Because of lazy,i wrote an Js API for more convenient in the scene:
>
> /* global Date */
> Date.$PUSH_UUID = Date.$PUSH_UUID || 0
> Date.$PUSH_CALLBACK_CENTER = Date.$PUSH_CALLBACK_CENTER || {}
>
> function $push(path, params, callback) {
> const isWeexPage = path.indexOf('weex/page/') >= 0
> const hasCallback = typeof callback === 'function'
>
> if (!isWeexPage && hasCallback) {
> log('Warning', 'Only pushing to a Weex page support a callback!')
> }
>
> const puuid = (isWeexPage && hasCallback) ? (++Date.$PUSH_UUID) :
> undefined
> const finalUrl = url.join(toLink(path, DefaultScheme), params, puuid ?
> { puuid } : undefined)
> native.push(finalUrl)
>
> if (puuid) {
> Date.$PUSH_CALLBACK_CENTER[puuid] = callback
> this.$on('hook:destroyed', () => Date.$PUSH_CALLBACK_CENTER[puuid]
> = undefined)
> }
> }
>
>
> function $pop(v) {
> native.pop()
> const root = getRootVM(this)
> const puuid = root.params.puuid
> if (puuid) {
> const callback = Date.$PUSH_CALLBACK_CENTER[puuid]
> Date.$PUSH_CALLBACK_CENTER[puuid] = undefined
> if( typeof callback === 'function') callback(v)
> }
> }
>
> it is useful and very convenient。
> A=>B : $push(url, params, (v)=>{ //do callback })
> B=>A: $pop(obj)
> Then the callback(from A) will invoke with obj(from B).
> *The only premise is the Date is a global object in Js Environment for each
> weex instance。*
>
> 申远 <sh...@gmail.com> 于2020年3月2日周一 下午11:33写道:
>
> > Well, It seems like you could use broadcastChannel [1] to send message
> (not
> > callback) among pages. If this is not enough, you have to use low level
> C++
> > api to implement it by yourself, which is hard to write and not
> encouraged.
> >
> > A message among pages is not enough in your case? I'd like to here the
> > detail.
> >
> > FYI: Apache Weex excludes global JS object for security reasons. A
> > malicious hacker could inject a JS snippet containing dangerous function
> > just by loading his URL in Weex. If global JS object is supported, it's
> > very easy for you to excute the JS function provided by malicious hacker
> in
> > your page. That's reason we design Sandbox. And I'd encourage every
> > developer keeping if for security reason.
> >
> > [1] https://weex.apache.org/zh/docs/api/broadcast-channel.html
> >
> > Best Regards,
> > YorkShen
> >
> > 申远
> >
> >
> > 黄天宁 <zs...@gmail.com> 于2020年2月28日周五 上午10:17写道:
> >
> > > OK, i get it. Thanks!
> > > But it is a shame. Both ways are not enough for me. (first is not
> > > suitable,second can not save JS callbacks in Native)
> > > I want a global object in JS, none of Native business.
> > > I use a way like Eventbus for communication between neighbour pages
> > > instead.
> > >
> > > Before Sandbox,I realize an api for *neighbour pages*:
> > >
> > > pagaA push to pagaB witch a *callback((v)=>{})* and *increased
> pushId*,
> > > pushId && callback both saved in *global* *Date().$CALLBACKS/*
> > > *Date().$PUSHID.*
> > > pageB get *pushId* from params. When pageB *pop(v)*, *search callback
> by
> > > pushId* in global Date().$CALLBACKS.Then inoke *callbakc(v).*
> > >
> > > It is a very useful api , and the scene is frequent in business
> > > for neighbour pages, which need pageA invoke callback after back from
> > > pageB with params.
> > >
> > > By the way,I find a terrible bug in Jsfm in Android。And i try to find
> the
> > > reason and solve it
> > > When the type of *inputValue * is *number,*, which *bind with*
> Component
> > > <input> *property value*。*Precision problem* will happen to*
> > inputValue* .
> > > For example, input 2.5 will show 2.50000, if change *inputValue* to
> > > *string*,
> > > the error disappear.
> > > The behaviour in IOS is all right.
> > >
> > >
> > > 申远 <sh...@gmail.com> 于2020年2月27日周四 下午5:49写道:
> > >
> > > > The answer is no, and you should never consider using Weex without
> > > sandbox.
> > > >
> > > > You could however,
> > > > 1. use boradcastChannel [1] for communication between pages
> > > > 2. or use JS service [2] for vendor.js, which is very similar to
> global
> > > > object.
> > > >
> > > > [1] https://weex.apache.org/zh/docs/api/broadcast-channel.html
> > > > [2] https://weex.apache.org/zh/docs/api/js-service.html
> > > >
> > > > Best Regards,
> > > > YorkShen
> > > >
> > > > 申远
> > > >
> > > >
> > > > 黄天宁 <zs...@gmail.com> 于2020年2月25日周二 下午4:16写道:
> > > >
> > > > > Dear devs:
> > > > > I'm sorry to disturb you about a question about SandBox in
> both
> > > > > aos/ios.
> > > > > In some case, developer need a global Object to save/share
> > > something
> > > > > for different pages with JS callback,which can not save to Native
> > > > > SharedPreference.
> > > > > *1.In sandBox mode, is there a global Object for mounting?*(It
> > > looks
> > > > > none, from the doc on website :
> > > > > *In particular, the Vue variable are different in each pages, and
> > > even
> > > > > the "global" config of Vue (Vue.config.xxx) only affect the single
> > page
> > > > on
> > > > > Weex.*
> > > > >
> > > > > Android SDK can switch to *unuse sandbox mode*, but IOS SDK
> > looks
> > > > > none.
> > > > > *2.IOS is not just like Android,which is without the selection
> > > > > of isSandBox.*
> > > > > Little understand in C++ sandBox. If you have free time,give
> me
> > > some
> > > > > pointers,plz.
> > > > >
> > > > > Thanks!
> > > > >
> > > >
> > >
> >
>
Re: Is there a global Object in SandBox mode?
Posted by 黄天宁 <zs...@gmail.com>.
Yeah,i get your mean(For security, i encode js bundle with XXTEA in OSS,
and download/decode js bundle before SDKManager.render() )。
And in fact,broadcastChannel is content with the need of business.
But it not *the best/most easy way to deal with neighbour pages*,especially
the second page will back to the first page with a obj param。(such as:bank
detail page(click the bank) => bank list page(choose a bank) = > back to
bank detail page(with bank info param))
Because of lazy,i wrote an Js API for more convenient in the scene:
/* global Date */
Date.$PUSH_UUID = Date.$PUSH_UUID || 0
Date.$PUSH_CALLBACK_CENTER = Date.$PUSH_CALLBACK_CENTER || {}
function $push(path, params, callback) {
const isWeexPage = path.indexOf('weex/page/') >= 0
const hasCallback = typeof callback === 'function'
if (!isWeexPage && hasCallback) {
log('Warning', 'Only pushing to a Weex page support a callback!')
}
const puuid = (isWeexPage && hasCallback) ? (++Date.$PUSH_UUID) :
undefined
const finalUrl = url.join(toLink(path, DefaultScheme), params, puuid ?
{ puuid } : undefined)
native.push(finalUrl)
if (puuid) {
Date.$PUSH_CALLBACK_CENTER[puuid] = callback
this.$on('hook:destroyed', () => Date.$PUSH_CALLBACK_CENTER[puuid]
= undefined)
}
}
function $pop(v) {
native.pop()
const root = getRootVM(this)
const puuid = root.params.puuid
if (puuid) {
const callback = Date.$PUSH_CALLBACK_CENTER[puuid]
Date.$PUSH_CALLBACK_CENTER[puuid] = undefined
if( typeof callback === 'function') callback(v)
}
}
it is useful and very convenient。
A=>B : $push(url, params, (v)=>{ //do callback })
B=>A: $pop(obj)
Then the callback(from A) will invoke with obj(from B).
*The only premise is the Date is a global object in Js Environment for each
weex instance。*
申远 <sh...@gmail.com> 于2020年3月2日周一 下午11:33写道:
> Well, It seems like you could use broadcastChannel [1] to send message (not
> callback) among pages. If this is not enough, you have to use low level C++
> api to implement it by yourself, which is hard to write and not encouraged.
>
> A message among pages is not enough in your case? I'd like to here the
> detail.
>
> FYI: Apache Weex excludes global JS object for security reasons. A
> malicious hacker could inject a JS snippet containing dangerous function
> just by loading his URL in Weex. If global JS object is supported, it's
> very easy for you to excute the JS function provided by malicious hacker in
> your page. That's reason we design Sandbox. And I'd encourage every
> developer keeping if for security reason.
>
> [1] https://weex.apache.org/zh/docs/api/broadcast-channel.html
>
> Best Regards,
> YorkShen
>
> 申远
>
>
> 黄天宁 <zs...@gmail.com> 于2020年2月28日周五 上午10:17写道:
>
> > OK, i get it. Thanks!
> > But it is a shame. Both ways are not enough for me. (first is not
> > suitable,second can not save JS callbacks in Native)
> > I want a global object in JS, none of Native business.
> > I use a way like Eventbus for communication between neighbour pages
> > instead.
> >
> > Before Sandbox,I realize an api for *neighbour pages*:
> >
> > pagaA push to pagaB witch a *callback((v)=>{})* and *increased pushId*,
> > pushId && callback both saved in *global* *Date().$CALLBACKS/*
> > *Date().$PUSHID.*
> > pageB get *pushId* from params. When pageB *pop(v)*, *search callback by
> > pushId* in global Date().$CALLBACKS.Then inoke *callbakc(v).*
> >
> > It is a very useful api , and the scene is frequent in business
> > for neighbour pages, which need pageA invoke callback after back from
> > pageB with params.
> >
> > By the way,I find a terrible bug in Jsfm in Android。And i try to find the
> > reason and solve it
> > When the type of *inputValue * is *number,*, which *bind with* Component
> > <input> *property value*。*Precision problem* will happen to*
> inputValue* .
> > For example, input 2.5 will show 2.50000, if change *inputValue* to
> > *string*,
> > the error disappear.
> > The behaviour in IOS is all right.
> >
> >
> > 申远 <sh...@gmail.com> 于2020年2月27日周四 下午5:49写道:
> >
> > > The answer is no, and you should never consider using Weex without
> > sandbox.
> > >
> > > You could however,
> > > 1. use boradcastChannel [1] for communication between pages
> > > 2. or use JS service [2] for vendor.js, which is very similar to global
> > > object.
> > >
> > > [1] https://weex.apache.org/zh/docs/api/broadcast-channel.html
> > > [2] https://weex.apache.org/zh/docs/api/js-service.html
> > >
> > > Best Regards,
> > > YorkShen
> > >
> > > 申远
> > >
> > >
> > > 黄天宁 <zs...@gmail.com> 于2020年2月25日周二 下午4:16写道:
> > >
> > > > Dear devs:
> > > > I'm sorry to disturb you about a question about SandBox in both
> > > > aos/ios.
> > > > In some case, developer need a global Object to save/share
> > something
> > > > for different pages with JS callback,which can not save to Native
> > > > SharedPreference.
> > > > *1.In sandBox mode, is there a global Object for mounting?*(It
> > looks
> > > > none, from the doc on website :
> > > > *In particular, the Vue variable are different in each pages, and
> > even
> > > > the "global" config of Vue (Vue.config.xxx) only affect the single
> page
> > > on
> > > > Weex.*
> > > >
> > > > Android SDK can switch to *unuse sandbox mode*, but IOS SDK
> looks
> > > > none.
> > > > *2.IOS is not just like Android,which is without the selection
> > > > of isSandBox.*
> > > > Little understand in C++ sandBox. If you have free time,give me
> > some
> > > > pointers,plz.
> > > >
> > > > Thanks!
> > > >
> > >
> >
>