PRNG: remove quota restriction; don't use window. #87
Conversation
dchest
force-pushed
the
newprng
branch
2 times, most recently
from
dc692df to
1af5522
Compare
PRNG: remove quota restriction; don't use window.
| crypto = window.msCrypto; // Internet Explorer 11+ | ||
| } | ||
| if (crypto) { | ||
| if (typeof process === 'undefined' || process.browser) { |
There was a problem hiding this comment.
nw.js (node-webkit) and electron has no process.browser. Don't tested, but this will not work I think.
There was a problem hiding this comment.
@b1rdex what do you think about this: https://github.com/dchest/tweetnacl-js/pull/90/files ?
There was a problem hiding this comment.
Here is my point: native crypto is better than DOM realisation. So check if
require('crypto') is present and usable, than fallback to DOM window.crypto
On Feb 20, 2016 18:37, "Dmitry Chestnykh" [email protected] wrote:
In nacl-fast.js
#87 (comment):
@@ -2361,17 +2361,16 @@ nacl.setPRNG = function(fn) {
// Initialize PRNG if environment provides CSPRNG.
// If not, methods calling randombytes will throw.
var crypto;
- if (typeof window !== 'undefined') {
- // Browser.
- if (window.crypto && window.crypto.getRandomValues) {
crypto = window.crypto; // Standard- } else if (window.msCrypto && window.msCrypto.getRandomValues) {
crypto = window.msCrypto; // Internet Explorer 11+- }
- if (crypto) {
- if (typeof process === 'undefined' || process.browser) {
@b1rdex https://github.com/b1rdex what do you think about this:
https://github.com/dchest/tweetnacl-js/pull/90/files ?
—
Reply to this email directly or view it on GitHub
https://github.com/dchest/tweetnacl-js/pull/87/files#r53547295.
There was a problem hiding this comment.
Here is my point: native crypto is better than DOM realisation. So check if
require('crypto') is present and usable, than fallback to DOM window.crypto
No, both are pretty much equally good CSPRNG (window.crypto is implemented by browsers natively, Node's crypto is from OpenSSL). If window.crypto is available, I'd prefer to use it.
There was a problem hiding this comment.
Ah got it. Then I vote just for process.browser removal.
On Feb 20, 2016 18:43, "Dmitry Chestnykh" [email protected] wrote:
In nacl-fast.js
#87 (comment):@@ -2361,17 +2361,16 @@ nacl.setPRNG = function(fn) {
// Initialize PRNG if environment provides CSPRNG.
// If not, methods calling randombytes will throw.
var crypto;
- if (typeof window !== 'undefined') {
- // Browser.
- if (window.crypto && window.crypto.getRandomValues) {
crypto = window.crypto; // Standard- } else if (window.msCrypto && window.msCrypto.getRandomValues) {
crypto = window.msCrypto; // Internet Explorer 11+- }
- if (crypto) {
- if (typeof process === 'undefined' || process.browser) {
Here is my point: native crypto is better than DOM realisation. So check if
require('crypto') is present and usable, than fallback to DOM window.cryptoNo, both are pretty much equally good CSPRNG (window.crypto is implemented
by browsers natively, Node's crypto is from OpenSSL).—
Reply to this email directly or view it on GitHub
https://github.com/dchest/tweetnacl-js/pull/87/files#r53547362.
There was a problem hiding this comment.
The new logic will be:
if (typeof process === 'undefined' || process.browser ||
(typeof window !== 'undefined' && window.self === self)) {
Do you know if WebWorkers in Electron/nw have process defined?
There was a problem hiding this comment.
There is long living nw.js issue about this:
nwjs/nw.js#494
So I think that's not available. Can't check now.
2016-02-20 18:54 GMT+10:00 Dmitry Chestnykh [email protected]:
In nacl-fast.js
#87 (comment):@@ -2361,17 +2361,16 @@ nacl.setPRNG = function(fn) {
// Initialize PRNG if environment provides CSPRNG.
// If not, methods calling randombytes will throw.
var crypto;
- if (typeof window !== 'undefined') {
- // Browser.
- if (window.crypto && window.crypto.getRandomValues) {
crypto = window.crypto; // Standard- } else if (window.msCrypto && window.msCrypto.getRandomValues) {
crypto = window.msCrypto; // Internet Explorer 11+- }
- if (crypto) {
- if (typeof process === 'undefined' || process.browser) {
The new logic will be:
if (typeof process === 'undefined' || process.browser ||
(typeof window !== 'undefined' && window.self === self)) {Do you know if WebWorkers in Electron/nw have process defined?
—
Reply to this email directly or view it on GitHub
https://github.com/dchest/tweetnacl-js/pull/87/files#r53547482.
There was a problem hiding this comment.
I think actually, you're right about process.browser, let's just do the normal detection of what I intended — if we're asking if self.crypto exists, let's check that, and try to fallback to require. I'll send pull request soon and post a link here.
There was a problem hiding this comment.
OK, here it is:
https://github.com/dchest/tweetnacl-js/pull/90/files
var crypto = typeof self !== 'undefined' ? (self.crypto || self.msCrypto) : null;
if (crypto && crypto.getRandomValues) {
...
} else if (typeof require !== 'undefined') {
If we have self.crypto.getRandomValues, use it, otherwise try require('crypto')
|
Summary: web workers and now good, but usage problems in nw.js and electron are still present. |
|
@b1rdex strange, what changed with regards to and now just the later part changed (which isn't triggered if Anyway, I'm looking into it. |
|
I know module.exports line not changed.
|
|
Ah, ok. |
|
OK, they have this in FAQ: so I guess if even jQuery requires deleting |
randombytes in browsers no longer throw when output length exceeds 65536
bytes. Remove mention of this from README.
Improve detection of environment (browser or Node) by also checking
process.browser.
Replace references to window with self. Fixes #65, closes #66.