New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent DOM access (i.e. XHR and such) #2

Open

natevw opened this issue Jul 5, 2013 · 1 comment

natevw commented Jul 5, 2013

Just spent today working on a sandboxing thing from a different angle before I found this. Turns out it's actually somewhat complementary!

The iframe.contentWindow.eval trick does a great job preventing an untrusted script from messing with other people's object prototypes.
Combining "use strict"; with a silly closure trick it seems possible to prevent access to all global objects…except object literal prototypes!

You can take a look at what I got on this in https://github.com/natevw/evel/blob/master/evel.js#L49 — I do whitelist the ES5 globals because I assume most code should be allowed to expect them. I'll be the first to admit that masking every global every function call is kind of "not ideal" but AFAICT combining https://github.com/natevw/evel's tricks with this iframe stuff yields a fairly declawed environment.

The text was updated successfully, but these errors were encountered:

natevw mentioned this issue

Prevent untrusted code from modifying prototypes natevw/evel#1

Closed

Hobart2967 commented Mar 20, 2022

For implementation, take a look at this! : https://www.w3schools.com/tags/att_iframe_sandbox.asp

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment