发表新帖
发表新帖

How can I make external code 'safe' to run? Just ban eval()?

前端 未结
关注
6 1042
情书的邮戳
情书的邮戳 2020-12-30 14:40

I\'d like to be able to allow community members to supply their own javascript code for others to use, because the users\' imaginations are collectively far greater than any

6条回答
  • 无人及你
    无人及你 (楼主)
    2020-12-30 15:14

    Since HTML5 has now become available you can use a sandbox for untrusted JavaScript code.

    The OWASP HTML5 Security Cheat Sheet comments on Sandboxed frames:

    • Use the sandbox attribute of an iframe for untrusted content.

    • The sandbox attribute of an iframe enables restrictions on content within a iframe. The following restrictions are active when the sandbox attribute is set:

      1. All markup is treated as being from a unique origin.

      2. All forms and scripts are disabled.

      3. All links are prevented from targeting other browsing contexts.
      4. All features that triggers automatically are blocked.

      5. All plugins are disabled.

        It is possible to have a fine-grained control over iframe capabilities using the value of the sandbox attribute.

    • In old versions of user agents where this feature is not supported, this attribute will be ignored. Use this feature as an additional layer of protection or check if the browser supports sandboxed frames and only show the untrusted content if supported.

    • Apart from this attribute, to prevent Clickjacking attacks and unsolicited framing it is encouraged to use the header X-Frame-Options which supports the deny and same-origin values. Other solutions like framebusting if(window!== window.top) { window.top.location = location; } are not recommended.

    You can allow scripts to run while keeping the other restrictions in place. However, you should make sure that scripts run from a different domain than your main content in order to prevent XSS attacks by an attacker redirecting a user to load the page directly (i.e. not via your IFrame).

    This will restrict scripts from using eval to attack your main domain, but it may be that this would also prevent the scripts from actually being powerful enough for your needs. Any interaction with your main domain would have to be via Window.postMessage. If this is too restrictive then @bobince's answer still has the best suggestions for workarounds.

    Please see my other answer for details of how a sandbox can be safely implemented.

    0 讨论(0)
 看不清?
提交回复
热议问题