Javascript Sandbox

2020-07-11 07:21发布

问题:

I want to have developers write some custom apps for a site in Javascript but I want to sandbox it so they can't do anything naughty like redirect the user, set the body display to none etc etc. I have a namespace in Javascript where all the functions they'll ever need exist in there so I was thinking to create a sandbox would be a matter of:

with(Namespace) {
    //App code goes here where they can only access Namespace.*
}

How is easy is it to get around this and what other methods can be done? Would rather not have to moderate every submitted app.

回答1:

To enforce a sandbox, you would have to inspect the code before it is executed, capture any non-legit code and if found, somehow prevent it from running. Very tedious and prone for errors for a long time.

Facebook did this at least in their early platform, I, as a developer, definitely did not enjoy it. They limited the native methods that could be used, and provided limited wrappers around some.



回答2:

Well, the options to sandbox code at the moment are:

  • Google Caja Project
  • ADSafe

Both allow you to create a safe environment where the access to the global object and the DOM is restricted.

The primary purpose of these projects is to allow you to safely embed widgets and any web content from third parties.



回答3:

The first thing that comes to mind is eval. They can use that to execute custom code outside of the wrapper sandbox. It will be very hard to stop a determined developer by attempting to wrap the code.

Link to the use of eval.