如何沙箱不受信任的用户提交的JavaScript内容？ [英] How can I sandbox untrusted user-submitted JavaScript content?

问题描述

我需要在我的网站上提供用户提交的脚本（有点像 jsfiddle ）。我希望脚本能够以安全的方式在访问者浏览器上运行，与它们所服务的页面隔离。由于代码是由用户提交的，因此无法保证它是值得信赖的。

I need to serve user-submitted scripts on my site (sort of like jsfiddle). I want the scripts to run on visitors browsers in a safe manner, isolated from the page they are served on. Since the code is submitted by users, there is no guarantee it is trustworthy.

现在我可以想到三个选项：

Right now I can think of three options:

• 在来自其他域的iframe中投放用户提交的内容，并依赖于同源策略。这需要设置一个我想尽可能避免的额外域名。我相信这就是jsfiddle的做法。该脚本仍然可以造成一些损害，例如更改 top.location.href ，这不太理想。 http://jsfiddle.net/PzkUw/


• 使用沙盒属性 即可。我怀疑浏览器不支持此功能。


• 在提供脚本之前清理脚本。我宁愿不去那里。

• Serve the user-submitted content in an iframe from a different domain, and rely on the same-origin policy. This would require setting up an additional domain which I'd like to avoid if possible. I believe this is how jsfiddle does it. The script can still do some damage, changing top.location.href for example, which is less than ideal. http://jsfiddle.net/PzkUw/
• Use the sandbox attribute. I suspect this is not well supported across browsers.
• Sanitize the scripts before serving them. I would rather not go there.

上面有其他解决方案或建议吗？

Are there any other solutions, or recommendations on the above?

更新

如果我怀疑第一个选项是最佳解决方案，什么可以除了更改顶部窗口位置之外的恶意脚本，我该如何防止这种情况？我可以根据静态代码分析操作或拒绝某些脚本，但这是 hard 给出了可以访问对象的方式数量以及一般静态分析javascript的难度。至少，它需要一个完整的解析器和一些复杂的规则（一些，但我怀疑并非所有，其中都存在于JSLint中）。

If, as I suspect, the first option is the best solution, what can a malicious script do other than change the top window location, and how can I prevent this? I can manipulate or reject certain scripts based on static code analysis but this is hard given the number of ways objects can be accessed and the difficulty analysing javascript statically in general. At the very least, it would require a full-blown parser and a number of complex rules (some, but I suspect not all, of which are present in JSLint).

推荐答案

创建一个定义良好的消息接口，并使用JavaScript Web Worker获取要沙箱的代码。 HTML5网络工作者

Create a well defined message interface and use JavaScript Web Worker for the code you want to sandbox. HTML5 Web Workers

网络工作者无法访问到以下DOM对象。

Web Workers do not have access to the following DOM objects.

• 窗口对象

• The window object

文档对象

父对象

所以他们可以重定向页面或更改页面上的数据。

So they can't redirect your page or alter data on it.

您可以创建模板和定义良好的消息传递接口，以便用户可以创建Web工作者脚本，但您的脚本将对于被操纵的内容有最终决定权。

You can create a template and a well defined messaging interface so that users can create web worker scripts, but your script would have the final say on what gets manipulated.

编辑评论由Jordan Gray插入一个似乎可以执行上述操作的JavaScript库。 https://github.com/eligrey/jsandbox

EDIT Comment by Jordan Gray plugging a JavaScript library that seems to do what I described above. https://github.com/eligrey/jsandbox

这篇关于如何沙箱不受信任的用户提交的JavaScript内容？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！