Versions Compared

Old Version 9

changes.mady.by.user Sundararajan Athijegannathan

Saved on

compared with

New Version 10

changes.mady.by.user Sundararajan Athijegannathan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Nashorn supports 'load' builtin function. This can be called from a script to load another script from a URL or a File. When script is loaded with "load" call, Nashorn associates URL/File origin to the script and therefore permissions are granted as per the current security policy. This is another way to grant security permissions to specific scripts.

Summary of various ways of loading/evaluating script and security implications:

 

  • javax.script API: code submitted via engine.eval(String) and engine.eval(Reader) are always treated as sandbox code  - except for jdk.nashorn.api.scripting.URLReader. If you pass URLReader, script origin based on that URL associated is used. So, security permissions are based on the script origin URL.
  • calling "load" with a file File/URL- this method and command line method both associate a URL/File origin for the script and hence script URL/File based fine-grained permission can be used. When you run with security manager on, you can specify permissions for specific script URLs or file: URLs
  • Read string using a java library or otherwise and then calling ECMAScript "eval" builtin function. Script is treated as "sandbox" and hence only sandbox permissions. But, you can generate/modify script programmatically!
  • "load" from a script object as in load({ name: "foo", script: str}) This is equivalent to "eval" - but it associates a name with script and so stack traces will have nice readable name instead of <eval>. "str" may be computed or a literal. It does not matter. But, script is treated as 'sandbox'.
  • loadWithNewGlobal This is similar to load [all options are load available]. The difference is that it creates a new EMCAScript global scope and loads your code into that global. This avoids global namespace pollution. If you're going to use require or another module system and your scripts are well-behaved (as modules), you probably don't need this. But, it is useful when no module system exists and you want isolation. Note that security access permission is still only based on script origin url.
  • javax.script API engine.eval(Reader, Bindings) or engine.eval(String, Bindings). This is similar to the other engine.eval methods in that these are sandbox script evaluations unless Reader is a URLReader. But these methods create/associate a fresh ECMAScript global and load code there [similar to loadWithNewGlobal in that sense]