Is there a way to use jsdom in a foolproof sandbox?

Question

I'm using jsdom to load web pages with my Node.js application. Sometimes, I don't get the full DOM because some web pages use scripts to load their content dynamically after the onload event is triggered.

jsdom deactivates the execution of these scripts by default because it would cause a security flaw, as stated in their documentation:

The jsdom sandbox is not foolproof, and code running inside the DOM's < script>s can, if it tries hard enough, get access to the Node.js environment, and thus to your machine

I was wondering if there was a way to make it foolproof using some workarounds? I'm kind of new in Node.JS development and as it is a single threaded environment, I'm not sure how I can create a secured sandbox.

Answer 1

NodeJS does not have this kind of security out of the box. If you'll be running untrusted, 3rd party code in your Node engine, you'll need to use operating system tools to isolate and secure it.

Things you could look into:

• Using a chroot jail.
• Using a virtual machine.
• Using a Docker container.
• Using the jailed sandbox library (haven't used it myself, but it has good reputation).

Do some research on these approaches and their limitations, and see which suits your purpose best. A virtual machine will offer the greatest isolation and least chance for error, I think, but it has the greatest overhead. All approaches could be made to work.