Web工作者是沙箱不受信任的JavaScript代码的安全方式 [英] Are web workers a secure way to sandbox untrusted javascript code
问题描述
我想知道一个网络工作者是否是沙箱不受信任的javascript代码的安全方式。例如,在绘图应用程序的上下文中,开发人员可以在其中实现新的绘图工具,您可以将他们的代码放在webworker中,并且每当用户点击画布时,向他们发送包含光标位置的JSON消息,以及图像数据的数组,当脚本完成后,它会传回一条包含新图像数据的消息。
I was wondering if a web worker would be a secure way to sandbox untrusted javascript code. Let's say for example in the context of a drawing application where developers can implement new drawing tools, you could put their code inside a webworker, and any time the user clicks on the canvas, send them a JSON message containing the cursor position, and an array of image data, and when the script is done, it passes a message back containing the new image data.
这是安全的,还是有风险我是没想到?
Would this be secure, or are there risks I'm not thinking of?
推荐答案
网络工作者无法使用DOM,但是可以访问同源的东西,喜欢 indexedDB
。请参阅我的相关问题:
DOM is not available to the Web-workers, but it is possible to access same-origin stuff, like indexedDB
. See my related question on this:
安全的方法是使用 sandbox
iframe的属性:
The secure way is to use sandbox
attribute of the iframe:
http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/
查看我的库,它简化了过程并提供了与沙箱的便捷连接(函数导出而不是消息传递):
Also take a look at my library which simplifies the process and provides the convenient connection with the sandbox (function export instead of messaging):
https://github.com/asvd/jailed
这篇关于Web工作者是沙箱不受信任的JavaScript代码的安全方式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!