使用Google Caja运行用户提供的Javascript [英] Using Google Caja to run user-supplied Javascript

问题描述

官方示例似乎使用 caja.js 文件只包装 iframe 来加载来自的网址托管caja编译服务的服务器，该服务反过来从某个URL获取其输入。 此处提供了相关的API。

It appears that the official examples use a caja.js file that just wraps an iframe to load an URL from a server hosting a caja compilation service, which in turn, gets its input from some URL. The relevant API for that is available here.

然而，我真正想要的是安全地（并且反复地）运行用户提供的Javascript片段，如下所示：

However, what I really want is to just safely (and repeatedly) run a user-supplied piece of Javascript, like so:

for (var i = 0; i < N; ++i) {
    var x = getUserResult(currentState);
    updateState(currentState, x);
}

有没有办法直接这样做？ 此处代码包含编译器。为什么我不能只使用它来编译代码然后在模拟上下文中运行它？是因为在浏览器中获取安全上下文的唯一方法是 iframe ？如果是这样，有什么方法可以使用 iframe 直接运行给定的源代码，而无需从外部URL获取它？

Is there any way to do this directly? The code here has the compiler. Why can't I just use that to compile the code and then run that within an emulated context? Is it because the only way to get a safe context in a browser is an iframe? And, if so, is there any way I can use an iframe to directly run given source code, without having to fetch it from an external URL?

推荐答案

无论如何，Caja需要 iframe 。两种执行模式都需要一组JavaScript全局变量（通过创建框架获得），可以对其进行根本修改以实现安全执行。

Caja needs an iframe no matter what. Both modes of execution require a set of JavaScript globals (obtained by creating the frame) which is available to be radically modified to enable safe execution.

Modern Caja（ES5模式）不需要任何服务器端编译步骤;如果浏览器兼容，您可以使用标准方式使用Caja，永远不会联系服务器。要强制执行此操作，请在 caja.initialize 的选项中指定 es5Mode：true 。

Modern Caja (ES5 mode) does not require any server-side compilation step; provided the browser is compatible you can use Caja in the standard way and the server will never be contacted. To force this, specify es5Mode: true in the options to caja.initialize.

您可以加载访客代码一次并重复执行;只需提供一个 api ，它允许访客在加载时传递一个函数，然后随时调用该函数。

You can load guest code once and repeatedly execute it; just provide an api which lets the guest pass a function out when it's loaded, then call the function whenever you like.

对于您的用例，也可以使用Sja，Caja的现代安全评估子系统，而不使用Caja本身;这将允许您跳过任何iframe，但需要您以SES兼容的方式编写代码;也就是说，

For your use case, it would also be possible to use SES, the modern safe-eval subsystem of Caja, without using Caja itself at all; this would allow you to skip having any iframes, but would require you to write your code in a SES-compatible way; that is,

• 避免修改全局对象，例如 Object.prototype ，以及


• 使用 Object.freeze（）保护直接或间接暴露给用户提供的代码的所有对象。）

• refraining from modifying global objects such as Object.prototype, and
• protecting all objects directly or indirectly exposed to the user-supplied code using Object.freeze().)

如果您愿意，我建议您直接使用SES，因为它消除了许多间接性和完全复杂性，但它确实需要了解在安全方面取得成功的概念。

If you're up for it, I do recommend using SES directly, as it removes a lot of indirections and total complexity, but it does require understanding the concepts to succeed at safety.

这篇关于使用Google Caja运行用户提供的Javascript的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！