Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

what actually is sandboxing in JavaScript?

I understand the term sandbox. But my limited skills in JS is unable to help me understand what is sandboxing in JS. So, what actually is sandboxing? Apart from security, why do we need to sandbox JS?

like image 941
Kumar Avatar asked Aug 12 '11 17:08

Kumar


People also ask

What do you mean by sandboxing?

Sandboxing is a cybersecurity practice where you run code, observe and analyze and code in a safe, isolated environment on a network that mimics end-user operating environments. Sandboxing is designed to prevent threats from getting on the network and is frequently used to inspect untested or untrusted code.

How does a sandbox work?

How does sandbox work? Sandbox works as a virtual environment independent of your computer and your network. It's, basically, an isolated testing environment. For those who develop software, for example, sandbox is used to test new codes, avoiding programming errors.

What is sandboxing a website?

Sandboxing is the practice where an application, a web browser, or a piece of code is isolated inside a safe environment against any external security threat. The idea of sandboxing is to enhance security.

What is sandbox coded in?

A sandboxing API (written in C++17), which can use various execution backends: Native Client, WebAssembly, or remote processes. Built on top of Bubblewrap, provides sandboxing for Linux desktop applications.


2 Answers

Sandboxing is the act of creating a scope in which no other part of the application can operate (unless given an opportunity to). More specifically, this is usually a function scope that exposes a limited subset of what's actually going on within it.

One library that's founded on the idea of sandboxes is YUI3. The basic unit of the application is a YUI instance sandbox:

var Y = YUI(); // creates a configurable YUI instance

// Creates a sandbox for one part of your application,
// including the 'node' module.
Y.use('node', function(Z) {
    // Z is a YUI instance that's specific to this sandbox.
    // Operations inside it are protected from outside code
    // unless exposed explicitly. Any modules you request in
    // use statement will be separately instanced just for
    // this sandbox (in this case, the 'node' module)
    //
    // That way, if another part of your application decides
    // to delete Z.Node (or worse, replace it with a
    // malicious proxy of Z.Node) the code you've written
    // here won't be affected.
});

The advantages of sandboxes are primarily to reduce application complexity: since sandboxes are immutable, they're much easier to reason about and verify. They also improve runtime security, since a well-designed sandbox should be able to operate as a black box to other scripts running on the page. It does not prevent against all possible attacks, but it protects against many of the simple ones.

like image 189
Nick Husher Avatar answered Nov 15 '22 10:11

Nick Husher


the javascript sandbox does exactly what you've said. It limits the scope of what a script can do. There are also benefits in terms of virtualising the resources the script can call on. This allows the sandbox host to marshal those resources for better performance and say, stop an endlessly looping script bringing the whole browser crashing down.

like image 23
Simon Halsey Avatar answered Nov 15 '22 12:11

Simon Halsey