JavaScript – How to Protect Namespace of an Object

code-securityjavascriptobject-orientedSecurity

Continuing from my previous question: Javascript simple code to understand prototype-based OOP basics
Let's say we run into console this two separate objects(even if they are called child and parent there is no inheritance between them):

var parent = {
    name: "parent",
    print: function(){
       console.log("Hello, "+this.name);
    }
};

var child = {
    name: "child",
    print: function(){
       console.log("Hi, "+this.name);
    }
};

parent.print()
// This will print: Hello, parent
child.print()
// This will print: Hi, child

temp =parent;
parent = child;
child = temp;


parent.print()
// This will now print: Hi, child
child.print() 
// This will now print: Hello, parent

Now suppose that parent is a library, as a HTML5 application in a browser this cannot do much harm because is practically running sandboxed, but now with the advent of the ChromeOS, FirefoxOS and other [Browser] OS they will also be linked to a native API, that would be a head out of the „sandbox”. Now if someone changes the namespace it would be harder for a code reviewer (either automated or not ) to spot an incorrect use if the namespaces changes.

My question would be: Are there many ways in which the above situation can be done and what can be done to protect this namespaces? (Either in the javascript itself or by some static code analysis tool)

Best Answer

There is really very little you can do (in all browsers) to protect global variables.

However a common (good) practice is to encapsulate all of your scripts in (IIFE) functional closures.

(function() {
    var parent = {
        name: "parent",
        print: function(){
           console.log("Hello, "+this.name);
        }
    };

    var child = {
        name: "child",
        print: function(){
           console.log("Hi, "+this.name);
        }
    };

    parent.print()
    // This will print: Hello, parent
    child.print()
    // This will print: Hi, child
})();

This means that you may only use parent and child inside the scope of that function. While that is limiting, it is also protecting. If you needed them globally, one option would be maintain a namespace object:

var myGlobals = {};

(function( global ) {
    global.parent = {
        name: "parent",
        print: function(){
           console.log("Hello, "+this.name);
        }
    };

    global.child = {
        name: "child",
        print: function(){
           console.log("Hi, "+this.name);
        }
    };

    global.parent.print()
    // This will print: Hello, parent
    global.child.print()
    // This will print: Hi, child
})(myGlobals);

Or if you really needed them as individual globals, you could just do:

(function() {
    window.parent = {
        name: "parent",
        print: function(){
           console.log("Hello, "+this.name);
        }
    };

    window.child = {
        name: "child",
        print: function(){
           console.log("Hi, "+this.name);
        }
    };

    parent.print()
    // This will print: Hello, parent
    child.print()
    // This will print: Hi, child
})();

But that leaves you back at square one. In this case you would need to make sure that you do something to protect those variables at the time of shuffling. Instead of writing:

temp =parent;
parent = child;
child = temp;

You may write:

(function( parent, child ) {

    // Do some stuff.

    // Note: parent and child are references,
    // although they are switched, something like:
    //    child.hello = "hello";
    // will still edit the `parent` object in the outer scope

})(child, parent); // Pass them in swapped.

Freeze and Seal (two new JS Object methods) are worth noting in this thread despite not exactly solving your problem nor having cross-browser support yet.

Related Solutions

Javascript – Is it a good idea to do UI 100% in Javascript and provide data through an API

Linkedin do this for their mobile site (see http://engineering.linkedin.com/nodejs/blazing-fast-nodejs-10-performance-tips-linkedin-mobile part 4), and it's apparently been very beneficial for them from a performance standpoint.

However, I'd suggest you avoid doing the same, for various reasons.

The first is maintainability: C#/ASP.net is, due to it being a server-side framework, client-independent, whereas Javascript is not (even with a framework like jQuery you're not going to get 100% cross-browser compatibility, not future-proofing). I'd say it's also easier to verify the functionality of a statically-typed application than an dynamic one, which is something you absolutely must consider if you're building large-scale sites.

The second is that you're going to find it difficult to find other people who are capable (and willing) to build a pure-javascript application of the kind of complexity needed to run your entire website (compared to the relative ease of finding .NET programmers). This might not be a concern of yours directly, but it certainly is something to think about from a long-term perspective.

The third issue is client-compatibility; if you're building public-facing websites then remember that a reasonable portion of the net still does not have JS enabled (for various reasons), so you'll need to be absolutely sure that you're not going to exclude a large portion of your userbase by switching to a JS-driven website.

As for your bulleted concerns:

I wouldn't worry too much about the security aspect, there's no reason why you could not mix paradigms and do some server-side processing when you require security (you're going o have some view-rendering code in there somewhere that returns HTML, there's no reason you can't have this just fire off an AJAX call instead, when required).
Ease of development isn't really a concern too, in my opinion, there are very good tools available for JS development, don't just box yourself into VisualStudio because you're used to it! (try JetBrains WebStorm, for example).
Performance of JS view engines is absolutely fine in most cases (again, in my experience), I use them heavily on a day-to-day basis. What I would suggest is avoiding the more heavyweight frameworks like knockout.js etc., and head instead for something like Jon Resig's micro template engine. This way you can plug in the supporting code in ways you're confident are fast and reliable.

What I'd do, if I were you, is really examine the reasons behind this switch; It could well be that you're just not leveraging .NET effectively and need to up your game, WebForms isn't a particularly slow framework out-of-the-box, so perhaps some of the 3rd-party libraries you're using are slowing down your rendering.

Try doing a performance profile of the application using a load test and profiling tool, and see where your bottlenecks are before you sink a large amount of time and effort into a more radical solution, you'll probably be surprised at what you find as the culprit for your slowness!

The “correct” way to store functions in a database

I don't know how different the functions you want to store are, but if you can isolate few different "types of functions" you could do something like this :

Create several generic methods in your model which can make every special calculus needed with the help of some arguments :

def integrate_over_an_area(args={})
  #Do your calculus with your args.
end

def simple_arithmetics(args={})
  #Do your calculus with your args.
end

Create - for each model instance - a hash describing which generic function to use and the parameters :
```
{ 
 function: "integrate_over_an_area",
 args: {
   arg1: "value",
   arg2: "value",
   ...
  }
}
```
Store the hashes in a column named "special_function_hash" or something like this, in your model's table
Create a "special_function" method in your model which calls the function described in the hash, with the arguments described in the hash

Best Answer

Related Solutions

Javascript – Is it a good idea to do UI 100% in Javascript and provide data through an API

The “correct” way to store functions in a database

Related Topic