Ajaxian

Thursday, June 25th, 2009

JavaScript sandbox using Web Workers

Category: JavaScript, Library

We have been sandboxing JavaScript in iframes for a long time. The Web Worker API has the nice property that it doesn't have access to objects like document and the like, and just runs code that you can pass over to it.

With this, Elijah Grey has created an experimental jsandbox API that gives you an eval function that you pass in some code, and optionally input data, callback for results, and an onerror callback.

Code looks like this:

PLAIN TEXT

JAVASCRIPT:

1.  
2. jsandbox
3.     .eval({
4.       code    : "x=1;Math.round(Math.pow(input, ++x))",
5.       input   : 36.565010597564445,
6.       callback: function(n) {
7.           console.log("number: ", n); // number: 1337
8.       }
9.   }).eval({
10.       code   : "][];.]\\ (*# ($(! ~",
11.       onerror: function(ex) {
12.           console.log("syntax error: ", ex); // syntax error: [error object]
13.       }
14.   }).eval({
15.       code    : '"foo"+input',
16.       input   : "bar",
17.       callback: function(str) {
18.           console.log("string: ", str); // string: foobar
19.       }
20.   }).eval({
21.       code    : "({q:1, w:2})",
22.       callback: function(obj) {
23.           console.log("object: ", obj); // object: object q=1 w=2
24.       }
25.   }).eval({
26.       code    : "[1, 2, 3].concat(input)",
27.       input   : [4, 5, 6],
28.       callback: function(arr) {
29.           console.log("array: ", arr); // array: [1, 2, 3, 4, 5, 6]
30.       }
31.   }).eval({
32.       code    : "function x(z){this.y=z;};new x(input)",
33.       input   : 4,
34.       callback: function(x) {
35.           console.log("new x: ", x); // new x: object y=4
36.       }
37.   });
38.  

Posted by Dion Almaer at 6:17 am
4 Comments

3.2 rating from 18 votes

4 Comments »

Comments feed TrackBack URI

Dean Edwards’ “sandboxing” script doesn’t do any sandboxing. It just evals code in the context an iframe, which is completely insecure. The “sandboxed” code could still access the parent window. For example, sandbox.eval("parent.doWhatever()").

Dean’s code can be simplified to to just using iframe.contentWindow.eval. Nothing special there.

Comment by EliGrey — June 25, 2009

@EliGrey I think you are being a bit harsh on Dean’s approach. He popularized/discovered the iframe approach that allows devs to access/use/extend native objects that are separate from the normal documents without using eval or function decompilation via toString(). Iframes, while still buggy in areas (IE https, Safari 2), also offer support for more than just Firefox 3.5, Chrome 2, and Safari 4. I think there is plenty of things “special” there.

Comment by jdalton — June 25, 2009

@EliGrey Try reading the post before posting comments. Code running in the sandbox does not have access to parent/window/etc. It’s a web worker thread, which does not run in the context of the web page.

Comment by randomrandom — July 6, 2009

@randomrandom I never said anything about jsandbox. I was talking about Dean Edwards’ insecure attempt at making a sandbox. I’m the guy who wrote jsandbox.

Comment by EliGrey — July 8, 2009

Powered by WordPress.
Entries feed. Valid XHTML and CSS.
All rights reserved, Copyright 2009. About Us. Privacy Policy