Downloading JSON and JavaScript in extensions

A common practice found in many extensions is using XMLHttpRequest (or some other mechanism) to download JavaScript or JSON (they are different) from a remote website. Once the content has been downloaded, the extension authors proceed to use eval() to decode the string content into JavaScript objects. This practice is dangerous and will not, in fact, pass an AMO review. So the extension will not be allowed to move out of the AMO sandbox.

The practice is dangerous because the decoded JavaScript has full chrome privileges and could perform some nasty actions. How could the JavaScript an extension downloads perform nasty actions? Fairly easy if the webserver where the JavaScript is hosted were to be hijacked or compromised. It happens to the best of us. AMO takes the threat very seriously.

The good news is there are several ways to workaround the problem.

Downloading JSON

If the extension is downloading JSON, then the developer should be using one of the JSON decoding methods discussed here and not using eval() at all. JSON is about state and does not allow functions to be decoded. The JSON decoding methods available to extension developers protect the extension from malicious JSON and JavaScript. Downloading state from a remote webserver using JSON is becoming extremely popular. Use the JSON decoders, not eval()!

Downloading JavaScript

Of course there are times when JavaScript code modules are downloaded and injected into the extension. This usually happens because the extension is trying to keep some of its code fresh and dynamic, and the developers don't want to create a new version of the extension for each script change. In this case, JavaScript sandboxing should be used to isolate the downloaded JavaScript from the rest of the extension, and host application.

Sandboxing is done using Components.utils.evalInSandbox(). The JavaScript code is added to the sandbox along with any "safe" objects the JavaScript needs to interact. Sandboxing is not without its dangers and developers should read the sandboxing page carefully to make sure untrusted code is not leaked out of the sandbox.