Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does an iframe on a subdomain provide an adequate JS sandbox?

Let's say I have a page on example.com. This page includes an iframe showing sandbox.example.com.

---------------------------
| example.com             |
| ----------------------- |
| | sandbox.example.com | |
| |   (<canvas> + js)   | |
| ----------------------- |
---------------------------

The sandbox would be executing scripts that could be potentially dangerous. The sandbox would be a mix of my own JavaScript, running alongside untrusted JavaScript code from other sources.

I would expose far fewer of my applications routes to sandbox.example.com, so that the same origin policy should prevent any access to any sensitive data or actions. Things like session cookie theft, and authenticated ajax requests changing passwords are the types of issues I'm trying to avoid.

The idea is to have a extensible rendering engine, provided by me, which is extended by code from others, all thrown into a single page rendering to a single canvas.

So would this be considered safe? If you were logged into example.com, and running the iframe on sandbox.example.com with untrusted JS executing within it, would you be at risk for any kind of attack?

And is a subdomain adequate? Or would it be secure if it was an entirely different domain?

like image 254
Alex Wayne Avatar asked Jul 02 '13 00:07

Alex Wayne


1 Answers

There are risks associated with untrusted and unsafe Javascript - no matter whether it is run in an iframe or not. However the Same Origin Policy dictates that any scripts in your sandbox will not be able to interfere with anything in example.com.

like image 146
Jimmery Avatar answered Nov 17 '22 09:11

Jimmery