tags:

views:

96

answers:

4
+4  Q: 

Javascript Sandbox

I want to have developers write some custom apps for a site in Javascript but I want to sandbox it so they can't do anything naughty like redirect the user, set the body display to none etc etc. I have a namespace in Javascript where all the functions they'll ever need exist in there so I was thinking to create a sandbox would be a matter of:

with(Namespace) {
    //App code goes here where they can only access Namespace.*
}

How is easy is it to get around this and what other methods can be done? Would rather not have to moderate every submitted app.

+2  A: 

The first thing that comes to mind is eval. They can use that to execute custom code outside of the wrapper sandbox. It will be very hard to stop a determined developer by attempting to wrap the code.

Link to the use of eval.

Kevin  2010-06-07 03:28:20
Google Caja and ADSafe can restrict `eval` :-)
CMS  2010-06-07 05:46:02
+1  A: 

I recommend you do not sandbox. The reason being that it just isn't worth the effort. Just perform proper code reviews as development takes place.

ChaosPandion  2010-06-07 03:29:31
I get the impression this is for third party plugins, and he won't have control over everything that gets written.
Joel Coehoorn  2010-06-07 03:51:37
Well I can chose to either moderate the submitted apps or be optimistic with a sandbox and hopefully it will be reported if it is dangerous.
Louis  2010-06-07 03:54:01
+1  A: 

To enforce a sandbox, you would have to inspect the code before it is executed, capture any non-legit code and if found, somehow prevent it from running. Very tedious and prone for errors for a long time.

Facebook did this at least in their early platform, I, as a developer, definitely did not enjoy it. They limited the native methods that could be used, and provided limited wrappers around some.

Lauri Lehtinen  2010-06-07 03:32:10
+1  A: 

Well, the options to sandbox code at the moment are:

Both allow you to create a safe environment where the access to the global object and the DOM is restricted.

The primary purpose of these projects is to allow you to safely embed widgets and any web content from third parties.

CMS  2010-06-07 04:21:49

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript