JavaScript 中的沙箱究竟是什么? [英] what actually is sandboxing in JavaScript?
问题描述
我理解沙箱这个词.但是我有限的 JS 技能无法帮助我理解什么是 JS 中的沙箱.那么,沙盒究竟是什么?除了安全,我们为什么需要沙箱JS?
沙盒是创建一个范围的行为,应用程序的其他部分不能在其中运行(除非有机会).更具体地说,这通常是一个函数作用域,它公开了其中实际发生的事情的有限子集.
YUI3 是一个建立在沙箱理念之上的库.应用程序的基本单元是一个 YUI 实例沙箱:
var Y = YUI();//创建一个可配置的 YUI 实例//为应用程序的一部分创建一个沙箱,//包括节点"模块.Y.use('node', function(Z) {//Z 是特定于此沙箱的 YUI 实例.//内部的操作不受外部代码的影响//除非显式暴露.您请求的任何模块//use 语句将单独实例化,只是为了//这个沙箱(在这个例子中是节点"模块)////这样,如果应用程序的另一部分决定//删除 Z.Node(或者更糟的是,用一个//Z.Node的恶意代理)你写的代码//这里不会受到影响.});沙箱的优势主要在于降低应用程序的复杂性:因为沙箱是不可变的,所以它们更容易推理和验证.它们还提高了运行时的安全性,因为一个设计良好的沙箱应该能够作为运行在页面上的其他脚本的黑盒运行.它不能防止所有可能的攻击,但可以防止许多简单的攻击.</p>
I understand the term sandbox. But my limited skills in JS is unable to help me understand what is sandboxing in JS. So, what actually is sandboxing? Apart from security, why do we need to sandbox JS?
Sandboxing is the act of creating a scope in which no other part of the application can operate (unless given an opportunity to). More specifically, this is usually a function scope that exposes a limited subset of what's actually going on within it.
One library that's founded on the idea of sandboxes is YUI3. The basic unit of the application is a YUI instance sandbox:
var Y = YUI(); // creates a configurable YUI instance
// Creates a sandbox for one part of your application,
// including the 'node' module.
Y.use('node', function(Z) {
// Z is a YUI instance that's specific to this sandbox.
// Operations inside it are protected from outside code
// unless exposed explicitly. Any modules you request in
// use statement will be separately instanced just for
// this sandbox (in this case, the 'node' module)
//
// That way, if another part of your application decides
// to delete Z.Node (or worse, replace it with a
// malicious proxy of Z.Node) the code you've written
// here won't be affected.
});
The advantages of sandboxes are primarily to reduce application complexity: since sandboxes are immutable, they're much easier to reason about and verify. They also improve runtime security, since a well-designed sandbox should be able to operate as a black box to other scripts running on the page. It does not prevent against all possible attacks, but it protects against many of the simple ones.
这篇关于JavaScript 中的沙箱究竟是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
