Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Prevent DOM access (i.e. XHR and such) #2

Open
natevw opened this Issue Jul 5, 2013 · 0 comments

Comments

Projects
None yet
1 participant

natevw commented Jul 5, 2013

Just spent today working on a sandboxing thing from a different angle before I found this. Turns out it's actually somewhat complementary!

  1. The iframe.contentWindow.eval trick does a great job preventing an untrusted script from messing with other people's object prototypes.
  2. Combining "use strict"; with a silly closure trick it seems possible to prevent access to all global objects…except object literal prototypes!

You can take a look at what I got on this in https://github.com/natevw/evel/blob/master/evel.js#L49 — I do whitelist the ES5 globals because I assume most code should be allowed to expect them. I'll be the first to admit that masking every global every function call is kind of "not ideal" but AFAICT combining https://github.com/natevw/evel's tricks with this iframe stuff yields a fairly declawed environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment