是有可能的JavaScript沙箱中运行浏览器？ [英] Is It Possible to Sandbox JavaScript Running In the Browser?

问题描述

我不知道是否有可能在沙箱的浏览器prevent访问运行到通常可用于JavaScript code运行在HTML页面中的JavaScript功能。

I'm wondering if it's possible to sandbox JavaScript running in the browser to prevent access to features that are normally available to JavaScript code running in an HTML page.

例如，假设我想提供一个JavaScript API，为最终用户，让他们定义事件处理程序运行时，有趣的事件发生，但我不希望这些用户访问的属性和功能窗口对象。我能够做到这一点？

For example, let's say I want to provide a JavaScript API for end users to let them define event handlers to be run when "interesting events" happen, but I don't want those users to access the properties and functions of the window object. Am I able to do this?

在最简单的例子，比方说我要prevent用户调用警报。我能想到的一对夫妇的方法是：

In the simplest case, let's say I want to prevent users calling alert. A couple of approaches I can think of are:

• 重新定义 window.alert 全球。我不认为这是因为在页面其他code运行（即东西不是由他们的事件处理程序的用户撰写）可能需要使用警报。


• 发送事件处理程序code到服务器进行处理。我不知道该送code到服务器的过程是正确的做法，因为事件处理程序需要在页面的上下文中运行。

• Redefine window.alert globally. I don't think this would be a valid approach because other code running in the page (i.e. stuff not authored by users in their event handlers) might want to use alert.
• Send the event handler code to the server to process. I'm not sure that sending the code to the server to process is the right approach because the event handlers need to run in the context of the page.

也许其中服务器处理用户定义的函数，然后溶液产生要在客户端上执行将工作回调？即使这种做法的作品是没有更好的办法来解决这个问题？

Perhaps a solution where the server processes the user defined function and then generates a callback to be executed on the client would work? Even if that approach works are there better ways to solve this problem?

推荐答案

谷歌卡哈是一个源到源翻译说：让你把不信任的第三方HTML和JavaScript内嵌在你的网页，仍然是安全的。

Google Caja is a source-to-source translator that "allows you to put untrusted third-party HTML and JavaScript inline in your page and still be secure."

这篇关于是有可能的JavaScript沙箱中运行浏览器？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！