安全问题允许用户将自己的JavaScript添加到您的网站？ [英] Security Issues for allowing users to add own JavaScript to your site?

问题描述

我打算创建一个开源教育网络应用程序，人们可以在其中添加和编辑内容（有点像维基百科）。

I am planning to create an open source education web app where people can add and edit the content (a bit like Wikipedia).

但是我希望添加另一个允许用户使用JavaScript添加自己的交互式内容的功能。 （类似JSFiddle的做法）

However I wish to add another feature that allows the user to add their own interactive content using JavaScript. (similar how JSFiddle does it)

这样做有哪些安全问题？
可选问题：如何克服这些问题？

What are the security concerns in doing this? Optional question: How can these issues be overcome?

推荐答案

是的，你可以使用 HTML5 Sandbox 仅加载IFrame中的用户脚本。

Yes you could use HTML5 Sandbox to only load user scripts in an IFrame.

您应该只托管来自与主网站不同的域的用户内容。如果攻击者说服用户注意，这将阻止任何 XSS 攻击直接访问页面（沙箱外）。例如如果您的网站是 www.example.com ，您可以使用以下代码显示沙盒IFrame：

You should only host user content from a different domain than your main site. This will prevent any XSS attack if an attacker convinces a user to visit the page directly (outside of the sandbox). e.g. if your site is www.example.com you could use the following code to display the sandboxed IFrame:

<iframe src="https://www.foo.com/show_user_script.aspx?id=123" sandbox="allow-scripts"></iframe>

这将允许脚本，但会阻止IFrame之外的表单和导航。

This will allow scripts, but forms and navigation outside of the IFrame will be prevented.

关于OWASP的HTML5安全备忘单指南声明这是沙盒的用途：

The HTML5 Security Cheat Sheet guidance on OWASP states this is the purpose of the sandbox:

将iframe的沙箱属性用于不受信任的内容

Use the sandbox attribute of an iframe for untrusted content

在呈现IFrame之前，您应首先测试是否支持沙箱：

You should test whether sandbox is supported first, before rendering the IFrame:

<iframe src="/blank.htm" sandbox="allow-scripts" id="foo"></iframe>

var sandboxSupported = "sandbox" in document.createElement("iframe");

if (sandboxSupported) {
    document.getElementById('foo').setAttribute('src', 'https://www.foo.com/show_user_script.aspx?id=123');
}
else
{
    // Not safe to display IFrame
}

通过动态更改 src 这样做更安全，而不是重定向，如果 sandboxSupported 是 false 因为如果重定向没有及时发生，则不会意外地呈现iframe。

It is safer to do it this way by dynamically changing the src rather than redirecting away if sandboxSupported is false because then the iframe will not accidentally be rendered if the redirect doesn't happen in time.

当 @Snowburnt 触及时，没有什么能阻止用户脚本将用户重定向到一个网站发生偷渡式下载，但这种方法，假设用户是最新的补丁，并没有零日漏洞，这是一种安全的方法，因为它可以保护其最终用户及其网站上的数据通过同源政策。

As @Snowburnt touches upon, there is nothing stopping a user script from redirecting a user to a site where a drive-by download occurs, but this approach, assuming a user is up to date on patches, and there are no zero day vulnerabilities, this is a safe approach because it protects its end users and their data on your site via the same origin policy.

这篇关于安全问题允许用户将自己的JavaScript添加到您的网站？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！