Thursday, June 25th, 2009

JavaScript sandbox using Web Workers

Category: JavaScript, Library

<>p>We have been sandboxing JavaScript in iframes for a long time. The Web Worker API has the nice property that it doesn’t have access to objects like document and the like, and just runs code that you can pass over to it.

With this, Elijah Grey has created an experimental jsandbox API that gives you an eval function that you pass in some code, and optionally input data, callback for results, and an onerror callback.

Code looks like this:

javascript
< view plain text >
  1. jsandbox
  2.     .eval({
  3.       code    : "x=1;Math.round(Math.pow(input, ++x))",
  4.       input   : 36.565010597564445,
  5.       callback: function(n) {
  6.           console.log("number: ", n); // number: 1337
  7.       }
  8.   }).eval({
  9.       code   : "][];.]\\ (*# ($(! ~",
  10.       onerror: function(ex) {
  11.           console.log("syntax error: ", ex); // syntax error: [error object]
  12.       }
  13.   }).eval({
  14.       code    : '"foo"+input',
  15.       input   : "bar",
  16.       callback: function(str) {
  17.           console.log("string: ", str); // string: foobar
  18.       }
  19.   }).eval({
  20.       code    : "({q:1, w:2})",
  21.       callback: function(obj) {
  22.           console.log("object: ", obj); // object: object q=1 w=2
  23.       }
  24.   }).eval({
  25.       code    : "[1, 2, 3].concat(input)",
  26.       input   : [4, 5, 6],
  27.       callback: function(arr) {
  28.           console.log("array: ", arr); // array: [1, 2, 3, 4, 5, 6]
  29.       }
  30.   }).eval({
  31.       code    : "function x(z){this.y=z;};new x(input)",
  32.       input   : 4,
  33.       callback: function(x) {
  34.           console.log("new x: ", x); // new x: object y=4
  35.       }
  36.   });

Related Content:

Posted by Dion Almaer at 6:17 am
5 Comments

+++--
3.1 rating from 24 votes

5 Comments »

Comments feed TrackBack URI

Dean Edwards’ “sandboxing” script doesn’t do any sandboxing. It just evals code in the context an iframe, which is completely insecure. The “sandboxed” code could still access the parent window. For example, sandbox.eval("parent.doWhatever()").

Dean’s code can be simplified to to just using iframe.contentWindow.eval. Nothing special there.

Comment by EliGrey — June 25, 2009

@EliGrey I think you are being a bit harsh on Dean’s approach. He popularized/discovered the iframe approach that allows devs to access/use/extend native objects that are separate from the normal documents without using eval or function decompilation via toString(). Iframes, while still buggy in areas (IE https, Safari 2), also offer support for more than just Firefox 3.5, Chrome 2, and Safari 4. I think there is plenty of things “special” there.

Comment by jdalton — June 25, 2009

@EliGrey Try reading the post before posting comments. Code running in the sandbox does not have access to parent/window/etc. It’s a web worker thread, which does not run in the context of the web page.

Comment by randomrandom — July 6, 2009

@randomrandom I never said anything about jsandbox. I was talking about Dean Edwards’ insecure attempt at making a sandbox. I’m the guy who wrote jsandbox.

Comment by EliGrey — July 8, 2009

I tested jsandbox it in recent versions of FireFox and Chrome without any problems (it’s great!), but it seems the ‘load’ function fails in Safari (using 4.04). It does not appear to be a browser-thread-support issue as the implementation on http://pmav.eu/stuff/javascript-webworkers/ works in Safari. Is there any planned updates to the script?

Comment by almo — June 8, 2010

Leave a comment

You must be logged in to post a comment.