I have recently released JSandbox version 0.2. JSandbox is a JavaScript sandboxing library. Version 0.2 is, for the most part, a complete re-write. It introduces many new features, such as load
(for loading external scripts) and exec
(faster than eval
but no return value). There is now an additional fixed-position arguments API along with the version 0.1 API.
Eli Grey
❧
Are there any issues with JSandbox? I mean how safe is to execute user uploaded JS scripts this way?
To the extent of my knowledge, JSandbox is completely safe. I’ve done much penetration testing and have been unable to uncover any not already-patched attack vectors. Please note that I will eventually (not anytime soon) be rewriting JSandbox into an easier to use (for both the client website and user-submitted code) Java Runnable-like API.
Cool. Do you think it is possible to use current version for a scenario when website provides some points of extensibility and website users can extend website functionality with their code by uploading it to the website, similar to how MEF works in .NET world ( http://mef.codeplex.com/ )?
It depends on what kind of website extensibility you want. If you want to let scripts commit DOM modifications, you’re going to have to build a secure API on top JSandbox where the sandboxed script continuously (you’ll need to keep polling it, something you wouldn’t have to do in the planned rewrite where you can listen for messages) gives a list of DOM mutations for your API to approve or deny.
Hi, I’m been looking at Javascript sandboxing solutions, and your library looks great. From what I understand, it does not run in an iFrame, though, so how can you protect from malicious scripts stealing cookies via AJAX requests?