Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can dates and random numbers be used for evil in Javascript?

Tags:

javascript

date

random

The ADsafe subset of Javascript prohibits the use of certain things that are not safe for guest code to have access to, such as eval, window, this, with, and so on.

For some reason, it also prohibits the Date object and Math.random:

Date and Math.random

Access to these sources of non-determinism is restricted in order to make it easier to determine how widgets behave.

I still don't understand how using Date or Math.random will accomodate malevolence.

Can you come up with a code example where using either Date or Math.random is necessary to do something evil?

like image 692
Peter Olson Avatar asked Sep 30 '11 17:09

Peter Olson

3 Answers

According to a slideshow posted by Douglas Crockford:

ADsafe does not allow access to Date or random

This is to allow human evaluation of ad content with confidence that behavior will not change in the future. This is for ad quality and contractual compliance, not for security.

like image 103
Jon Newmuis Avatar answered Nov 04 '22 01:11

Jon Newmuis

I don't think anyone would consider them evil per se. However the crucial part of that quote is:

easier to determine how widgets behave

Obviously Math.random() introduces indeterminism so you can never be sure how the code would behave upon each run.

What is not obvious is that Date brings similar indeterminism. If your code is somehow dependant on current date it will (again obviously) work differently in some conditions.

I guess it's not surprising that these two methods/objects are non-functional, in other words each run may return different result irrespective to arguments.

In general there are some ways to fight with this indeterminism. Storing initial random seed to reproduce the exact same series of random numbers (not possible in JavaScript) and supplying client code with sort of TimeProvider abstraction rather than letting it create Dates everywhere.

like image 42
Tomasz Nurkiewicz Avatar answered Nov 03 '22 23:11

Tomasz Nurkiewicz

According to their website, they don't include Date or Math.random to make it easier to determine how third party code will behave. The problem here is Math.random (using Date you can make a psuedo-random number as well)- they want to know how third party code will behave and can't know that if the third party code is allowed access to random numbers.

By themselves, Date and Math.random shouldn't pose security threats.

like image 38
jtfairbank Avatar answered Nov 04 '22 00:11

jtfairbank
Sign in to Comment

Related questions

Storing javascript Date() in mySQL
Why should CSS and JS not go through Django?
Jquery: exclude element
Datejs - Problem with 12:00 pm
JavaScript truthiness in boolean to numbers comparison
How to make a google map to point by default to the USA?
IE and local file reading
Does chrome supports document.selection?
ckeditor add event handler to dialog element
Does tablesorter have a onsort event?
SCRIPT 600 Error : Invalid target element for this operation
how to add beforerequest event to ajax request in Extjs 4?
How can I append to an empty JSON object?
Given two Arrays, return an Array consisting only of the non-intersecting items
jQuery: Click on *only* this element
JS double exclamation -- is there any good reason to use it?
jQuery document ready after ajax request
HTML Multiple Heads
JQuery onclick event isn't recognizing in JQuery datatable from second page
How to use <a4j:jsFunction><a4j:actionparam>

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!