Is it possible to offload custom user code that would be evaled to a Web Worker in a safe way?
The "only communicate" with strings feature of the Web Workers look promising but eval'ing user code is pretty much always dangerous in interesting ways.
I can't find much information on the web about it. Would there be a good way to do that either client side or with some server-side sanitizing or something else?
Web workers can't change the DOM, so they can't create new elements and create an XSS attack this way. However, they can create XMLHttpRequests, so they can reach and request data from anything that follows the same-origin-policy.
As long as you sanitize the messages to and from the worker you should be safe. Just allow specific strings, objects or integers and block other kinds of messages.
Also, if the Web Workers are only per-user and not being distributed between users, they won't allow your user to do anything they couldn't do already with the developer consoles.
See also:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With