Skip to content
This repository has been archived by the owner on Oct 2, 2018. It is now read-only.

Refactor event handler #272

Open
ferndot opened this issue Jan 3, 2015 · 6 comments
Open

Refactor event handler #272

ferndot opened this issue Jan 3, 2015 · 6 comments
Labels
difficulty: moderate domain: performance domain: security

Comments

@ferndot
Copy link
Member

ferndot commented Jan 3, 2015

For performance and security, we should get rid of the global event listeners in firetext.js.

@twiss and I discussed this on Gitter and propose that we create a new interface.js script that will manually add event listeners to interface elements. The script will pass events to the processActions function. Variables can be defined in the markup (e.g. data-click-location), but actions would be hard coded into the script.

Feel free to suggest modifications to this strategy.
@Ryuno-Ki
Copy link

Ryuno-Ki commented Jan 5, 2015

I'm curious, why global event listeners shall be a perf and security issue.
Have you something to read for me?

@ferndot
Copy link
Member Author

ferndot commented Jan 5, 2015

The security issue arises from our definition of the actions in the markup. E.g. data-click="nav" data-click-location="add". It is basically a sneaky way of doing eval().

Also, intercepting all click, submit, keypress, mousedown, focus, blur, or gesture events across the entire app has to hurt performance.

@twiss
Copy link
Collaborator

twiss commented Jan 5, 2015

(@joshua-s beat me to it :))

Delegated event handlers can in some cases be faster, because having many event handlers is slow and having one event handler (on the parent of those elements, say) is faster. However, if you put a delegated event handler on document (or html, or body) you have to check whether you're interested in the event every time the user does anything anywhere, which can be slow. I don't know if this is the case for us, though. More info and "proof": http://stackoverflow.com/a/8827535.

Re. security, normally, if you put a user's html in the dom without escaping or thoroughly sanitizing it (https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet), you have an XSS vulnerabilty (the user can run any script he wants). CSP can mitigate this by disallowing things like onclick="foo()", <script>foo()</script> and more. However, we implement data-click="bar" where bar is defined in processActions, which is not as bad but still bad.

@ferndot
Copy link
Member Author

ferndot commented Jan 5, 2015

@twiss I think that we would want to incur the CPU usage on listener creation. That way, we can get the brunt of it out of the way during the app's load stage and leave the app performant for interactions. It may not be a big deal on desktop, but I am sure that it will impact mobile.

@twiss
Copy link
Collaborator

twiss commented Jan 5, 2015

Yep, I agree, I only meant that testing is better than theory, in other words, does it feel sluggish on some phones. However, the security reason alone is enough to do this, so no need to test this now IMO.

@Ryuno-Ki
Copy link

Thank you for the information!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
difficulty: moderate domain: performance domain: security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@twiss @ferndot @Ryuno-Ki