今天在整理以前的一些 Research,逐步搬运到博客上来,这篇是关于 Javascript Sandbox(Browser)
Something works
Iframe + sandbox attribute: https://www.w3.org/TR/2010/WD-html5-20100624/the-iframe-element.html#attr-iframe-sandbox
webworker + Prevent usage of dangerous objects + SCP https://www.softfluent.com/blog/dev/Executing-untrusted-JavaScript-code-in-a-browser
Further Strict Sandbox (truely sandbox env) - Google Caja https://github.com/google/caja
Lib
flexible JS sandbox. Jailed is a small JavaScript library for running untrusted code in a sandbox. The library is written in vanilla-js and has no dependencies.
Jailed — flexible JS sandbox https://github.com/asvd/jailed
Caja is a tool for making third party HTML, CSS and JavaScript safe to embed in your website. It enables rich interaction between the embedding page and the embedded applications. Caja uses an object-capability security model to allow for a wide range of flexible security policies, so that your website can effectively control what embedded third party code can do with user data.
Caja supports most HTML and CSS and the recently standardized “strict mode” JavaScript version of JavaScript – even on older browsers that do not support strict mode. It allows third party code to use new JavaScript features on older browsers that do not support them.
https://github.com/google/caja
Reference
https://stackoverflow.com/questions/195149/is-it-possible-to-sandbox-javascript-running-in-the-browser
留下评论