工作人员是否足够安全以获取不受信任的代码 [英] Can workers be secure enough for an untrusted code
问题描述
我有一个用户提交的不受信任的代码,我需要在浏览器的沙盒环境中执行它。
I have an untrusted code submitted by a user, and I need to execute it in a sandboxed environment in a browser.
我被告知网络工作者不能要足够安全,并且最好使用沙坑的iframe。此页:
I was advised that Web-Workers cannot be secure enough for that, and that a sandbxed iframe should better be used. This page:
https:/ /www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Web_Workers
还表示工作人员不适合不受信任的代码。
also says workers are not suitable for untrusted code.
但是如果我从Blob创建一个worker,它的url甚至有一个不同的协议( blob:// )。在这种情况下,是否将单独的原始策略应用于工作程序代码?
But if I create a worker from a Blob, its url even has a different protocol (blob://). Is separate origin policy applied to the worker code in this case?
如果还有其他原因,为什么工作者(默认情况下)与沙盒iframe相比受限制较少(访问IndexedDB或其他东西),有没有机会以某种方式设置一个工作人员,以便它足够受限制,或者我仍然应该使用沙盒iframe?
If there are additional reasons, why a worker is (by default) less restricted comparing to the sandboxed iframe (accesing IndexedDB or something else), is there any chance to set-up a worker somehow so that it would be restricted enough, or should I still use sandboxed iframe anyway?
推荐答案
在这种情况下,是否将单独的原始政策应用于工人代码?
Is separate origin policy applied to the worker code in this case?
不,来自当前编辑器的File API规范草案:
Blob URL的来源必须与创建方法时现任设置对象指定的有效脚本源相同它 - 调用了URL.createObjectURL或URL.createFor - 。
The origin of a Blob URL must be the same as the effective script origin specified by the incumbent settings object at the time the method that created it -- either URL.createObjectURL or URL.createFor -- was called.
其他原因,为什么工人(默认情况下)与沙盒iframe相比受限制较少
additional reasons, why a worker is (by default) less restricted comparing to the sandboxed iframe
沙盒iframe可以指定除跨域通信之外的其他内容的某些权限。例如,您可以阻止沙盒内容打开弹出窗口。虽然网络工作者目前没有API来做这些事情。
Sandboxed iframes can specify some permissions on things other than cross-origin communication. For example, you can prevent the sandboxed content from opening popups. Although web workers currently don't have APIs to do many of these things.
是有没有机会以某种方式设置一个工人,以便它受到足够的限制
is there any chance to set-up a worker somehow so that it would be restricted enough
网上没有任何安全机制工人。 Web平台中还有其他工具可用于隔离不受信任的代码,如您指出的沙盒iframe。你可以让一个沙盒iframe创建一个web worker,如果还好的话。
There just isn't any security mechanism for web workers. There are other tools in the web platform for isolating untrusted code, like a sandboxed iframe as you point out. You could have a sandboxed iframe create a web worker, if that's any better.
这篇关于工作人员是否足够安全以获取不受信任的代码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
