Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I sandbox untrusted user-submitted JavaScript content?

Tags:

javascript

same-origin-policy

iframe

sandbox

I need to serve user-submitted scripts on my site (sort of like jsfiddle). I want the scripts to run on visitors browsers in a safe manner, isolated from the page they are served on. Since the code is submitted by users, there is no guarantee it is trustworthy.

Right now I can think of three options:

  • Serve the user-submitted content in an iframe from a different domain, and rely on the same-origin policy. This would require setting up an additional domain which I'd like to avoid if possible. I believe this is how jsfiddle does it. The script can still do some damage, changing top.location.href for example, which is less than ideal. http://jsfiddle.net/PzkUw/
  • Use the sandbox attribute. I suspect this is not well supported across browsers.
  • Sanitize the scripts before serving them. I would rather not go there.

Are there any other solutions, or recommendations on the above?

Update

If, as I suspect, the first option is the best solution, what can a malicious script do other than change the top window location, and how can I prevent this? I can manipulate or reject certain scripts based on static code analysis but this is hard given the number of ways objects can be accessed and the difficulty analysing javascript statically in general. At the very least, it would require a full-blown parser and a number of complex rules (some, but I suspect not all, of which are present in JSLint).

like image 365
Flash Avatar asked Aug 31 '12 05:08

Flash

1 Answers

Create a well defined message interface and use JavaScript Web Worker for the code you want to sandbox. HTML5 Web Workers

Web Workers do not have access to the following DOM objects.

  • The window object

  • The document object

  • The parent object

So they can't redirect your page or alter data on it.

You can create a template and a well defined messaging interface so that users can create web worker scripts, but your script would have the final say on what gets manipulated.

EDIT Comment by Jordan Gray plugging a JavaScript library that seems to do what I described above. https://github.com/eligrey/jsandbox

like image 199
Louis Ricci Avatar answered Sep 19 '22 12:09

Louis Ricci
Sign in to Comment

Related questions

Trigger an event when user navigates away
Animating a line drawn between 2 elements without canvas, linking by ID's
Exclude module from webpack minification
importing a package in ES6: "Failed to resolve module specifier "vue""
Podcasts about JavaScript programming [closed]
Client only cookies - cookie which doesn't ever go to the server
Twitter bootstrap:Popovers are not showing up on first click but show up on second click
jQuery DataTable - Hide rows the intended way
Mocking JavaScript constructor with Sinon.JS
Print a pdf without visually opening it
Are there any recent Lua to JavaScript converters or interpreters somewhere? [closed]
add an onclick event to a div
Exit not only from child function but from whole parent function
progress notifications in ECMAScript Promise
overflow-y not working in safari inside a modal
Do I ever need explicit allowSyntheticDefaultImports if esModuleInterop is true configuring TypeScript transpilation?
Visual Studio Javascript extensions feature comparison
How to protect an API Key when using JavaScript?
handling backbone model/collection changes in react.js
Gulp task with different source depending on arguments

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!