使用iframe进行沙箱测试? [英] Using an iframe for sandboxing?

问题描述

我正在开发一个允许在小部件中使用用户编写的javascript的系统.为了确保安全，我计划在iframe中将这些小部件沙盒化.当然，要使沙箱有效，iframe必须具有与父文档不同的域.

I am developing a system that allows userwritten javascript in widgets. To keep things secure, I plan to sandbox these widgets in iframes. Of course, for the sandboxing to be effective the iframe must have a different domain than the parent document.

我非常希望能够使用类似于以下代码的代码来动态生成iframe:

I would really love to be able to dynamically generate the iframe with code similar to this:

template = '<html><body><script>/* user code */</script></body></html>'
src      = 'javascript: document.write("' + template + '")'
widget   = $('<iframe>').attr('src', src)

$('#container').append(widget)

...，然后将生成的iframe从父窗口中视为跨网域.这可能吗?如果可以，怎么办?

...and then have the resulting iframe be treated as cross-domain from the parent window. Is this possible, and if so, how would it be done?

推荐答案

好吧，我想我能满足您的需求，但这有点棘手. 您想创建一个<iframe>并用用户Javascript客户端填充它，但仍将客户端沙箱化吗?

Ok, I think I get what you need but it's a bit tricky. You want to create an <iframe> and populate it with the user Javascript client-side but still have the client sandboxed?

这是相当不标准的.通常，<iframe>的内容是在服务器端生成的.但是就这样.

This is fairly non-standard. Usually the contents of the <iframe> are generated server side. But here it goes.

首先要了解一些背景:文档无法访问不是来自同一域(包括子域)和端口的任何文档的内容.但是他们可以使用document.domain属性更改自己的安全域.因此，您需要做的就是减轻安全性，然后再重新加紧安全性，以便运行用户脚本.

First some background: documents can not access the content of any document that is not from the same domain (including sub-domain) and port. But they can change their own security domain using the document.domain property. So what you need to do is lighten up the security then tighten it back up again for the user script to run.

因此，您无法按照指定的方式进行操作，因为如果使用Javascript src创建<iframe>，则document.domain将与父框架匹配.这意味着该小部件将具有对所有内容的完全访问权限.

So you can't do it the way you specified because if you create an <iframe> with a Javascript src the document.domain will match the parent frame. This means that the widget will have full access to everything.

因此，您可以按照以下步骤操作:

So here's how you can do it:

1. 设置您的主域的两个子域.我们称它们为home.example.com和widgets.example.com.
2. 在widgets.example.com上创建一个基本的HTML文件，并确保其调用此javascript:document.domain = "example.com";
3. 现在创建包含所有这些小部件的页面.将document.domain设置为相同的值.
4. 创建所有将iHTML基本页面从widgets.example.com加载到其中的iframe.
5. 在包含用户模板的框架内设置一个变量.例如:myFrame.contentWindow.foo = "template";
6. 将主窗口上的document.domain切换回home.example.com，以便<iframe>不再可以访问父框架
7. 在框架中触发模板替换

1. Set up two sub-domains of your main domain. Let's call them home.example.com and widgets.example.com.
2. Create a basic HTML file on widgets.example.com and make sure it calls this javascript: document.domain = "example.com";
3. Now create your page that will contain all these widgets. Set it's document.domain to the same value.
4. Create all your iframes loading your basic HTML page from widgets.example.com into it.
5. Set a variable inside the frame that contains the user template. Ex: myFrame.contentWindow.foo = "template";
6. Switch the document.domain on the main window back to home.example.com so that the <iframe>s will no longer have access to the parent frame
7. Trigger the template substitution in the frame

最后一部分是棘手的部分.您不能只嵌入代码，因为如果它自动运行，它将在您可以将主文档的域改回之前运行，这将是一个安全问题.因此，您需要将其设置为框架内的一个临时变量，然后以某种方式触发框架以该模板替换其自身的内容，但前提是必须锁定所有内容.最简单，最兼容的方法是在调整大小时触发它，然后只需更改框架的宽度或高度即可.

That last part is the tricky part. You can't just embed the code because if it runs automatically it will run before you can change the domain of the home document back, which will be a security issue. So instead you need to set it to a temporary variable inside the frame then somehow trigger the frame to replace its own contents with that template but only after everything is locked down. The easiest and most compatible way would be to trigger it on resize and then just change the width or height of the frame.

现在，或者，如果该小部件是在服务器端填充的:

Now, alternatively, if the widget was populated server-side:

1. widgets.example.com
上的主机小部件
2. 包含home.example.com
上的小部件的主机页面
3. 完成

1. Host widget on widgets.example.com
2. Host page containing widget on home.example.com
3. Done

但是我认为您有理由在所有客户端上都这样做.

But I assume that you have reasons for doing it all client-side.

下一个合乎逻辑的主题:在框架之间进行通信并自动调整大小.但是那是另一天.

The logical next topics: communicating between the frames and auto-sizing. But those are for another day.

我回答了你的问题吗?我希望如此，因为输入的内容很多，如果您投票接受我的回答，我也不会介意声誉得分！ ;)

Did I answer your question? I hope so because this was a lot of typing and I won't mind the reputation points if you vote up and accept my answer! ;)

这篇关于使用iframe进行沙箱测试?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！