6

I want to have developers write some custom apps for a site in Javascript but I want to sandbox it so they can't do anything naughty like redirect the user, set the body display to none etc etc. I have a namespace in Javascript where all the functions they'll ever need exist in there so I was thinking to create a sandbox would be a matter of:

with(Namespace) { //App code goes here where they can only access Namespace.* }

How is easy is it to get around this and what other methods can be done? Would rather not have to moderate every submitted app.

Improve this question
1

3 Answers 3

Reset to default
8

Well, the options to sandbox code at the moment are:

Both allow you to create a safe environment where the access to the global object and the DOM is restricted.

The primary purpose of these projects is to allow you to safely embed widgets and any web content from third parties.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Does it also prevent them from modifying Object.prototype?
2

The first thing that comes to mind is eval. They can use that to execute custom code outside of the wrapper sandbox. It will be very hard to stop a determined developer by attempting to wrap the code.

Link to the use of eval.

Improve this answer

1 Comment

Google Caja and ADSafe can restrict eval :-)
1

To enforce a sandbox, you would have to inspect the code before it is executed, capture any non-legit code and if found, somehow prevent it from running. Very tedious and prone for errors for a long time.

Facebook did this at least in their early platform, I, as a developer, definitely did not enjoy it. They limited the native methods that could be used, and provided limited wrappers around some.

Improve this answer

1 Comment

In fact, it is impossible to write such a code inspector, because it can boil down to solving the halting problem ;) (think of constructing s in some weird way and calling window[s]())

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.