Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow AMP to be compiled with full property obfuscation #9876

Closed
10 tasks done
cramforce opened this issue Jun 13, 2017 · 7 comments
Closed
10 tasks done

Allow AMP to be compiled with full property obfuscation #9876

cramforce opened this issue Jun 13, 2017 · 7 comments

Comments

@cramforce
Copy link
Member

cramforce commented Jun 13, 2017

@erwinmombay and me are preparing the AMP code base for more aggressive optimizations in the closure compiler.

Right now only private properties are obfuscated. Soon, among other things, all properties will be obfuscated unless we stop them.

That means stuff like

foo.mutateElement might become a.a;

saving lots of bytes :)

However, it also means that if you so something like

JSON.stringify({type: 'abc'})

then type might be obfuscated, but the party that parsrs the json (Say youtube) might have had no idea and break.

For this reason you must now always quote properties like {'type': 'abc'} or foo['type'] when accessing properties that come from an external source. That is unless you created an "Extern" for the type (beyond the scope of this email).

I submitted a bunch of PRs
#9876, #9960

that use the type system to enforce y'all doing this right as much as possible.

It might, however, miss some stuff. E.g. json['foo'].bar is not an error, but would break. You have to write json['foo']['bar']
There might be more cases that the typing doesn't catch. If you find a case where you think a property should be quoted, but the compiler doesn't yell at you, please ping me.

The cases where we need to be careful are:

Tasks:

  • Audit all calls to JSON.parse
  • Audit all calls to JSON.stringify
  • Change types of sendMessage and friends.
  • fetch body
  • parseQueryString
  • Polyfills need to use correct externed types.
  • Tighten type of event.data for Message events.
  • Audit amp-analytics config
  • Audit amp-social share config
  • dataset and classlist
@cramforce cramforce self-assigned this Jun 13, 2017
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 15, 2017
The new type limits the APIs to be used with `JsonObject` to enforce that objects being passed to them used quoted property names not subject to obfuscation.

Part of ampproject#9876
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 15, 2017
The new type limits the APIs to be used with `JsonObject` to enforce that objects being passed to them used quoted property names not subject to obfuscation.

Part of ampproject#9876
cramforce added a commit that referenced this issue Jun 15, 2017
The new type limits the APIs to be used with `JsonObject` to enforce that objects being passed to them used quoted property names not subject to obfuscation.

Part of #9876
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 16, 2017
Replaces `JSON.parse` with `jsonParse` which returns a `JsonObject` and hence enforces `@dict` treatment.

Part of ampproject#9876
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 16, 2017
Replaces `JSON.parse` with `jsonParse` which returns a `JsonObject` and hence enforces `@dict` treatment.

Part of ampproject#9876
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 16, 2017
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 16, 2017
@alanorozco
Copy link
Member

What about setStyles? Uses the object key names for the style props.

cramforce added a commit to cramforce/amphtml that referenced this issue Jun 16, 2017
cramforce added a commit that referenced this issue Jun 16, 2017
Replaces `JSON.parse` with `jsonParse` which returns a `JsonObject` and hence enforces `@dict` treatment.

Part of #9876
@cramforce
Copy link
Member Author

@alanorozco Should be covered by externs.

@alanorozco
Copy link
Member

@cramforce AFAICT externs would cover that from setStyles -> native API, right? What about the actual uses of setStyles? Like opacity in setStyles(x, { 'opacity': 0 });

@cramforce
Copy link
Member Author

@alanorozco We'll need to try, but basically because the compiler is very conservative it will assume that this might be an externed object.

cramforce added a commit to cramforce/amphtml that referenced this issue Jun 16, 2017
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 19, 2017
…to ensure the data is considered an external `JsonObject`. Forces the use of a `getData` function instead of accessing the `.data` property directly. The function returns the proper type.

Part of ampproject#9876
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 19, 2017
…to ensure the data is considered an external `JsonObject`. Forces the use of a `getData` function instead of accessing the `.data` property directly. The function returns the proper type.

Part of ampproject#9876
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 19, 2017
…to ensure the data is considered an external `JsonObject`. Forces the use of a `getData` function instead of accessing the `.data` property directly. The function returns the proper type.

Part of ampproject#9876
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 19, 2017
…to ensure the data is considered an external `JsonObject`. Forces the use of a `getData` function instead of accessing the `.data` property directly. The function returns the proper type.

Part of ampproject#9876
cramforce added a commit that referenced this issue Jun 20, 2017
…to ensure the data is considered an external `JsonObject`. Forces the use of a `getData` function instead of accessing the `.data` property directly. The function returns the proper type.

Part of #9876
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 21, 2017
And some follow up fixes caught by that.

Part of ampproject#9876
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 23, 2017
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 27, 2017
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 27, 2017
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 30, 2017
Who knew that we hadn't finished this? :)

Part of ampproject#9876
cramforce added a commit that referenced this issue Jun 30, 2017
Who knew that we hadn't finished this? :)

Part of #9876
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 30, 2017
Who knew that we hadn't finished this? :)

Part of ampproject#9876
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 30, 2017
Who knew that we hadn't finished this? :)

Part of ampproject#9876
cramforce added a commit to cramforce/amphtml that referenced this issue Jun 30, 2017
Who knew that we hadn't finished this? :)

Part of ampproject#9876
cramforce added a commit that referenced this issue Jun 30, 2017
Who knew that we hadn't finished this? :)

Part of #9876
cramforce added a commit to cramforce/amphtml that referenced this issue Jul 1, 2017
cramforce added a commit to cramforce/amphtml that referenced this issue Jul 1, 2017
cramforce added a commit to cramforce/amphtml that referenced this issue Jul 2, 2017
cramforce added a commit to cramforce/amphtml that referenced this issue Jul 2, 2017
Tightens type for `Element.prototype.dataset` to be an `@dict` object that requires property access.

Part of ampproject#9876
cramforce added a commit to cramforce/amphtml that referenced this issue Jul 2, 2017
We enforce via the linter (ampproject#10107) that arguments to `dict` are object literals. So, there is no need to copy.

Part of  ampproject#9876
cramforce added a commit that referenced this issue Jul 2, 2017
We enforce via the linter (#10107) that arguments to `dict` are object literals. So, there is no need to copy.

Part of  #9876
cramforce added a commit to cramforce/amphtml that referenced this issue Jul 5, 2017
Tightens type for `Element.prototype.dataset` to be an `@dict` object that requires property access.

Part of ampproject#9876
cramforce added a commit that referenced this issue Jul 5, 2017
#10231)

Tightens type for `Element.prototype.dataset` to be an `@dict` object that requires property access.

Part of #9876
@ampprojectbot ampprojectbot added this to the Pending Triage milestone Sep 12, 2017
@ampprojectbot
Copy link
Member

This issue seems to be in Pending Triage for awhile. @cramforce Please triage this to an appropriate milestone.

2 similar comments
@ampprojectbot
Copy link
Member

This issue seems to be in Pending Triage for awhile. @cramforce Please triage this to an appropriate milestone.

@ampprojectbot
Copy link
Member

This issue seems to be in Pending Triage for awhile. @cramforce Please triage this to an appropriate milestone.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants