flatten() implementation produces warnings in the browser javascript console

Question

flatten() implementation produces warnings in the browser javascript console

mreinstein opened this issue 7 years ago · comments

here's what I see:

Here is the specific line that's causing the warnings: https://github.com/davidbau/seedrandom/blob/released/seedrandom.js#L169

I'm not sure why but flatten() seems to be getting called on the window object. It's iterating over pretty much everything in the entire dom, including some of these deprecated properties.

I'm thinking if this could be fixed, it would not only remove the warnings but probably improve performance as I'm sure iterating over everything attached to the window must be somewhat costly.

thoughts?

David Bau · Answer 1 · Fri Feb 10 2017 10:41:52 GMT+0800 (China Standard Time)

IIRC, the idea of using browser crypto is to allow good seeding without flatten. We should figure out how to make this work under browserify if it's not.

Michael Reinstein · Answer 2 · Fri Feb 10 2017 14:25:31 GMT+0800 (China Standard Time)

it definitely works in the browser. I'm pretty sure these are just warning.

I guess my question is, what is flatten doing? is it coming up with a unique "fingerprint" for a seed based on the window object?

David Bau · Answer 3 · Sat Feb 11 2017 10:45:48 GMT+0800 (China Standard Time)

The idea is that if you ask for an auto seed, then it tries to generate a seed that is hard to anticipate.

On a browser with a crypto object, this is done using crypto.getRandomBytes().

But when that is not available, "flatten" does its best to collect as much local entropy as it reasonably can by traversing all visible state up to 3 levels deep in the window object, which captures entropy from the website, user, computer, and browser configuration. Unfortunately, that's slow and touches a lot of global variables including deprecated ones that trigger warnings. But it should not be done on a modern browser.

(Flatten is also used to produce a flat string seed from any non-string you might provide as a seed; but I'd expect to see these warnings in the case where flatten is used on a autoseed.)

Michael Reinstein · Answer 4 · Sun Feb 12 2017 01:32:50 GMT+0800 (China Standard Time)

@davidbau yeah it looks like getRandomValues() has broad support:

http://caniuse.com/#search=getrandomvalues

this might be a great replacement for the flatten() code (though it could be left as a fallback)

Michael Reinstein · Answer 5 · Sun Feb 12 2017 02:30:43 GMT+0800 (China Standard Time)

strange, the issue seems to have gone away. I've tried both your existing module code and my most recent PR and neither seem to trigger the issue. I'll close this for now. If it happens again I'll re-open with more details.

sorry for the noise!