Fork me on GitHub
#clojurescript
<
2016-08-15
>
cfleming00:08:45

@mfikes: Thanks, will do

mitranim07:08:17

@xcthulhu: JS, and particularly the browser environment, is hackable enough so that as soon as untrusted code enters your VM, say goodbye to security

thheller08:08:30

@xcthulhu: any sort of js injection is bad not restricted to cljsjs, you should look into the Content-Security-Policy http headers if you really want to lock things down

thheller08:08:11

in my experience the biggest issue however are plugins the user already have installed

thheller08:08:31

nothing related to your own code or server can help there

grav08:08:04

@xcthulhu: In which way is modifying React specifically related to cljs? The generated javascript is just javascript when it reaches the browser. So I suppose the cljs compiler could potentially open up an additional security hole, but I fail to see how it currently does that?

xcthulhu12:08:00

@grav: Well, the idea is that an easy attack vector is modifying window.React.

xcthulhu12:08:02

@thheller: Avoiding globals like window.React or window.crypto is a measure you can take but it looks like nobody bothers much.

thheller12:08:39

@xcthulhu: how is that a factor? if someone can execute code on your page they can do anything, they don't React for that?

thheller12:08:13

most likely they will read cookies and such

thheller12:08:37

React does not open any new risks that aren't there without

xcthulhu12:08:09

It depends on the app; you might not store anything of value in cookies, and just make the user enter a password via a form.

thheller12:08:59

then they can just replace whatever method you are using to send it to the server

thheller12:08:30

only way to be secure is ssl + no outside scripts

xcthulhu12:08:39

I'm not, I'm trying to use ECDH to avoid sending it.

thheller12:08:50

Content-Security-Policy helps too

xcthulhu12:08:42

For sure, but I seriously have crazy clients that ask me to handle digital currency in the browser. I told the last client "No" but I've been racking my brain on how to do this.

thheller12:08:36

well for anything secure outside scripts are a no-no

xcthulhu12:08:37

I can lock down most stuff by just doing doing authentication via ECDSA and encrypted commumication with ECDH for shared secrets

thheller12:08:51

that doesn't do anything

thheller12:08:05

as soon as someone is executing code in your context

thheller12:08:12

the needed information will leak

thheller12:08:24

you cannot allow outside scripts ever

thheller12:08:34

+ enforce ssl

thheller12:08:03

even better with HSTS

thheller12:08:26

but you said compromised ad server

xcthulhu12:08:40

You would still not want to hand the server your password for your digital currency because the server can get hacked too.

thheller12:08:45

as soon as an ad is on your page you are basically giving up any and all security

xcthulhu12:08:04

But I guess when it comes to trying to tighten up injection attacks against React or window.crypto nobody seems to worry

xcthulhu12:08:13

Or they do, but half-heartedly

thheller12:08:22

personally I wouldn't worry about any of that

thheller12:08:34

make sure all communication between you and the server is over https

thheller12:08:45

+ no outside scripts

thheller12:08:54

+ Content-Security-Policy

thheller12:08:09

doesn't get safer than that IMHO

xcthulhu12:08:21

Okay, so my last client wanted to make a "Decentalized Facebook" where you can tip your friends with digital currency

xcthulhu12:08:33

In that case, you would have to talk P2P via WebRTC

xcthulhu12:08:23

Like I said, I told them "No" but a lot of these security measures assume a trusted central entity...

xcthulhu12:08:49

Content delivery is another problem for that platform...

thheller12:08:08

well building something like that in the browser is probably never be secure enough

xcthulhu12:08:39

All I did was server side crypto for them

thheller12:08:55

but you always need something to deliver the app.js

xcthulhu12:08:04

I suggested IPFS

xcthulhu12:08:09

Are you familiar with it?

thheller12:08:49

no, read some docs once but nothing past that

xcthulhu12:08:56

Basically it associates files with a merkle-hash, similar to commits in git.

xcthulhu12:08:25

So the idea would be that you could go to or something

thheller12:08:36

that does not look like something a browser can go to?

xcthulhu12:08:18

Yeah, obviously you would need to ask users to download a plugin.

xcthulhu12:08:26

Maybe Brave will have support in a few years.

thheller12:08:54

well anyways, in the context of http and clojurescript (or js) use https + no outside scripts + Content-Security-Policy for the paranoid

xcthulhu12:08:37

I still would prefer if React wasn't a global object but I guess nobody else seems to care.

thheller12:08:49

I do not see why that is an issue?

thheller12:08:03

if you can trust the code there is no problem

thheller12:08:24

if you can't you can't, all the "hacker" would need is to open a dev console and look up the name it is using instead

thheller12:08:31

that is not a hard hack

thheller12:08:44

obfuscation is not security

xcthulhu12:08:54

Why couldn't you keep it in a closure so they couldn't touch it?

xcthulhu12:08:14

That would be nice

thheller12:08:21

uhm that would be simple

thheller12:08:29

although I have no idea if react can work with that

xcthulhu12:08:33

It's not bullet proof

thheller12:08:37

in cljs you have :output-wrapper

thheller12:08:01

but still, nothing is gained in terms of security

xcthulhu12:08:21

thanks for your time @thheller

anmonteiro13:08:15

Clojurescript seems to have a new website http://clojurescript.org/

anmonteiro13:08:35

this no longer redirects to the GitHub repo

mfikes13:08:14

Now that’s awesome!!!

slipset13:08:40

@alexmiller: I somewhat understand that you’d want the paragraph

Why Clojure?

Clojure is a dynamic, general-purpose programming language supporting interactive development. Clojure is a functional programming language featuring a rich set of immutable, persistent data structures. As a dialect of Lisp, it has a code-as-data philosophy and a powerful macro system.
since Clojurescript in a way is a Clojure, but to me it would have read better if it’d said Clojurescript instead of Clojure.

Alex Miller (Clojure team)13:08:33

it’s really explaining the first para, so I don’t think ClojureScript would make sense there

Alex Miller (Clojure team)13:08:41

ClojureScript is a Clojure dialect

Alex Miller (Clojure team)13:08:11

but I understand that it may be a little weird seeing that at the top of the cljs site

slipset13:08:59

I’m also sort of uneasy about ‘Clojurescript is a compiler for Clojure that targets javascript’. It is most probably correct, but to me, a user, Clojurescript is a dialect of Clojure that runs in the browser (or anywhere else you can run Javascript)

slipset13:08:13

I appreciate that this is hard to write in a way which doesn’t confuses the simple likes of me, and I have no clue about how to write it clearer while still keeping it concise and correct.

Alex Miller (Clojure team)13:08:20

every release David does has the first line "ClojureScript, the Clojure compiler that emits JavaScript source code."

slipset13:08:10

lol, and I tend to read most of them 🙂 It’s not easy writing for the internets.

slipset13:08:19

I guess I’m just complecting language and compiler.

slipset13:08:45

Anyways, thanks for the site and the great work!

borkdude13:08:06

Congrats on the new site!

octahedrion14:08:36

@alexmiller: this is great, but one small annoyance: "Using ClojureScript on a Web Page" begins with an error "You will not see "Hello world!" but instead you will likely see an error like the following:" which I think will put newbies off 3:02 it would be better to show them how to do it right, then point them to common errors and how to fix them afterwards

Alex Miller (Clojure team)14:08:05

all content was copied over from the ClojureScript wiki page and there are many that probably need updating

octahedrion14:08:09

i.e. don't start with a negative because we want to encourage people

Alex Miller (Clojure team)14:08:21

please file an issue or better, a PR !

Alex Miller (Clojure team)14:08:22

if you’re submitting a PR, you will also need to sign the Contributors Agreement - see http://clojurescript.org/community/contributing_site

sandbags14:08:04

I want to load some EDN data to configure my re-agent app at runtime. As far as I can see there’s nothing built-in to CLJS to do this (no slurp for example) so I need to find a CLJS HTTP client and make a request. Is that right?

dnolen14:08:44

@sandbags: goog.net.XhrIo is a thing, you don’t need anything else

dnolen14:08:16

if for some reason you want something that appears more idiomatic sure 3rd party library - but Google Closure is just fine for this

sandbags14:08:52

Thanks @dnolen I guess a thin wrapper over Closure would be nice, if not I’ll use it direct. thanks for the pointer.

serce14:08:20

"The engines, in the large, are specifically oriented towards JavaScript semantics and execution, i.e. they are not as general as the JVM and CLR." O, RLY? With JS your performance will fall into a huge hole as soon as you use dynamic nature of the JS language

anmonteiro14:08:54

@dnolen: what’s the status of Spec parity with Clojure as of the latest release?

dnolen14:08:22

@anmonteiro: at parity with the caveat that cljs.spec.test is a bunch of macros instead of fns

dnolen14:08:29

which I don’t think really matters much in actual usage

anmonteiro14:08:46

@dnolen: clojure.spec/assert is not portable then, is it?

dnolen14:08:08

@anmonteiro: oh right I might have missed assert actually

dnolen14:08:18

somebody can submit a patch for that 😉

sandbags14:08:58

heh… i noticed that this morning and assumed it was deliberate 🙂

dnolen14:08:20

I encourage everyone to kick the cljs.spec tires that are there - the sooner issues get flushed out the better

sekao14:08:43

Is there any standard practice for how to instrument a cljs app only during development? I'm imagining conditionally calling instrument if it's running without optimizations but not sure how to determine that.

dnolen14:08:13

@sekao: there isn’t but I can certainly imagine a number of ways to do it - either via custom builds (like test builds) or some component like approach

chris14:08:43

I was looking at the cljs JIRA and one of the latest issues is http://dev.clojure.org/jira/browse/CLJS-1710, which talks about how there is no double-in in cljs spec. which I thought was because all numbers are doubles and thus double-in doesn’t make sense. I checked the source and I noticed there is an int-in though, which I thought was weird, why is this?

chris14:08:54

or rather, what’s an int in cljs?

chris14:08:54

nevermind, a goog.math.Integer or a goog.math.Long. now to go figure out what those are...

dnolen14:08:24

@chris some things are tied to clojure.test.check and the provided generators

sekao14:08:38

@dnolen or anyone interested in instrumenting only during dev: it looks like with boot-cljs you just need a separate dev-resources and prod-resources that contain separate main.cljs.edn files. that config lets you specify :init-fns, so the dev one can just include a call to cljs.spec.test/instrument. seems to work!

xcthulhu15:08:08

@chris: Be careful with goog.math.Integer, multiplication is currently broken upstream and pending a patch: https://github.com/google/closure-library/pull/741

sekao17:08:25

anyone experiencing an error when instrumenting a multi-arity function? i saw that it was reported already but it is marked as resolved. i’m getting the same error in 1.9.211: http://dev.clojure.org/jira/browse/CLJS-1663

dnolen17:08:15

“same error” is not particularly useful information 🙂

dnolen17:08:25

show a complete, independent failing example - thanks

sekao17:08:24

i’m happy to file an issue on jira, i just hesitated since i saw there already is one that is closed

dnolen17:08:12

Alt is not right you want cat

dnolen17:08:30

Oh hrm ok will take a look in a bit

dnolen17:08:34

Sorry on phone

dnolen17:08:09

@sekao definitely a regression, fixed and cutting a release now

sekao17:08:42

ok thanks!

dnolen18:08:50

@sekao: 1.9.216 released

dnolen18:08:31

@anmonteiro: includes assert ^

hueyp18:08:07

is there a good way to kinda turn on a global flag? e.g. (def ^:dynamic *profile* nil) … I know I can binding it … but if I just wanted to make it true for awhile 🙂

hueyp18:08:57

@jr: :thumbsup:

martinklepsch18:08:20

There are also :closure-defines but that's compiler settings so you need to restart compiler for changes

rorydouglas18:08:55

@sandbags: i’ve been using https://github.com/r0man/cljs-http quite successfully, returns a core.async channel to work with

uwo20:08:11

intermittently I’m unable to call prn while js/console.log continues to work. I am using (enable-console-print!). Any guesses?

sandbags20:08:32

@rorydouglas: thanks for the pointer, sounds good

juhoteperi20:08:32

@uwo: As a workaround I suggest using cljs-devtools + js/console.log

uwo20:08:22

@juhoteperi: yeah, cljs-devtools is pretty cool!

juhoteperi20:08:24

@uwo: Btw. what version of boot-cljs-repl do you have (if any?)

juhoteperi20:08:40

@uwo: Could you try 0.3.3, it is possible that the cause is that piggieback by default redirects all output to REPL instead of console, 0.3.3 overwrites this default.

uwo20:08:58

@juhoteperi: it took me a moment to ensure that I was using 0.3.3. It doesn’t appear to fix the issue

shaunlebron22:08:08

not sure if everyone is familiar with “namespaced maps”, but it is a new syntax that was added this week to cljs

shaunlebron22:08:40

i’m trying to keep a clear and comprehensive syntax reference here: http://cljs.github.io/api/syntax/

georgek23:08:16

A quick search for how to use clojure libraries (specifically datomic-backed libs) with clojurescript didn’t turn up anything definitive. Anybody have advice?

georgek23:08:11

(Currently I have routing and other api-esk libs running via nginx-clojure that serves templated pages which wraps the datomic queries and I would like to include my reagent stuff so I can serve all the content from the same place and re-use the datomic libs which are in a clojure namespace)

georgek23:08:10

Oh. I’m using Boot although Lein advice is cool, thanks!

georgek23:08:47

Great! Thanks for the lighting-quick response. I’ll check it out!

danielcompton23:08:05

Can you explain what you’re trying to do a little further? Not quite sure I understand

georgek23:08:09

Sure,to start with I’m planning on using nginx-clojure for everything. I’ve written a set of api’s that deal with application logic in general and have written a few nginx handlers to serve up templated pages that are backed by a aws ddb datomic store. Since most of the app really is going to be in reagent I’m looking for a way to re-use my internal api libs (that currently are clojure/datomic) in the clojurescript part

georgek23:08:09

Not sure its really relevant that I’ve specified handlers and routes for the handful of templated pages since the api’s I want to use are underneath them

danielcompton23:08:06

Cool, one way to do this is to have src/clj, src/cljc, and src/cljs directories for each type of file

danielcompton23:08:15

And write your cross platform code in cljc files

georgek23:08:50

well that sounds elegant

danielcompton23:08:57

Not quite sure how that will work with datomic stuff though