Comments on: JavaScript sandbox using Web Workers

By: almo

almo — Tue, 08 Jun 2010 06:51:32 +0000

I tested jsandbox it in recent versions of FireFox and Chrome without any problems (it’s great!), but it seems the ‘load’ function fails in Safari (using 4.04). It does not appear to be a browser-thread-support issue as the implementation on http://pmav.eu/stuff/javascript-webworkers/ works in Safari. Is there any planned updates to the script?

By: EliGrey

EliGrey — Wed, 08 Jul 2009 21:55:52 +0000

@randomrandom I never said anything about jsandbox. I was talking about Dean Edwards’ insecure attempt at making a sandbox. I’m the guy who wrote jsandbox.

By: randomrandom

randomrandom — Tue, 07 Jul 2009 03:59:00 +0000

@EliGrey Try reading the post before posting comments. Code running in the sandbox does not have access to parent/window/etc. It’s a web worker thread, which does not run in the context of the web page.

By: jdalton

jdalton — Thu, 25 Jun 2009 19:39:15 +0000

@EliGrey I think you are being a bit harsh on Dean’s approach. He popularized/discovered the iframe approach that allows devs to access/use/extend native objects that are separate from the normal documents without using eval or function decompilation via toString(). Iframes, while still buggy in areas (IE https, Safari 2), also offer support for more than just Firefox 3.5, Chrome 2, and Safari 4. I think there is plenty of things “special” there.

By: EliGrey

EliGrey — Thu, 25 Jun 2009 16:57:35 +0000

Dean Edwards' "sandboxing" script doesn't do any sandboxing. It just evals code in the context an iframe, which is completely insecure. The "sandboxed" code could still access the parent window. For example, sandbox.eval("parent.doWhatever()"). Dean's code can be simplified to to just using iframe.contentWindow.eval. Nothing special there.