Comments (8)
Thanks for the feedback.
What you did is obtained an access to the Worker's internal scope, now you can send messages to the main application. But the accessing the worker scope is not insecure, in fact that is the sandbox provided by the browser and reused by Jailed to protect the main application from being accessed by untrusted code.
The worst thing you can do in this case is closing the worker:
(function(){return this})().close();
or using a method provided by the Jailed library:
(function(){return this})().application.disconnect();
This is not dangerous, a plugin may kill itself if it wants ;-) The application will be notified and may restart a plugin in that case (try the last snippet in the console demo)
Normally an untrusted code running in a plugin created by Jailed library has full access to the worker's scope (particullary it may use postMessage(), but exported functions are designed to be a convenient replacement for that). The reason why I hid those properties in the demo is in that the Console is some kind of virtual environment for a user to evaluate custom JS on the fly. In this sence, the methods available to the worker are not related to the purpose of that application.
PS I have improved the disconnect handling by the console demo, thanks for pointing that out.
PPS Text selection was also re-enabled on the console, disabling it was a stupid idea :-)
from jailed.
I believe Worker is not intended to provide a sandbox...
Are you sure you don't mind the "jailed" script accesses any API in Worker?
Even though it can't directly access to DOM, it can access any other, including IndexedDB, FileSystem, WebSocket and XMLHttpRequest.
And even it may be able to access cookie via CORS XHR + withCredential flag.
I feel it's still dangerous to execute untrusted code in that.
How about replacing that with <iframe sandbox>?
It can have separate security origin to the outer page and your infrastructure seems easy to port to it.
from jailed.
You are probably right, I just had the impression of that a worker is suitable for sandboxing:
http://stackoverflow.com/questions/12791699/do-web-workers-increase-or-decrease-security
Otherwise I will have to investigate deeper on this (particullary on why iframe sandbox
is more secure than a worker).
Please add any links / examples (which may help with clarifying) to this issue.
from jailed.
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Web_Workers
seems to contain some info on this
from jailed.
submitted related question
http://stackoverflow.com/questions/25964015/can-workers-be-secure-enough-for-an-untrusted-code
from jailed.
ok, seems like finally got a solution, will prepare a new release soon
from jailed.
the fix is committed into git, pending for a new release
from jailed.
fixed in v0.2.0
@tzik thanks for the contribution
from jailed.
Related Issues (20)
- unable to find application object
- Dom manipulation in jailed HOT 1
- Write code without application.remote HOT 2
- Just tried the base example - Getting permission issue HOT 5
- Why is the Web Worker inside an iframe? HOT 4
- Exposing values from the app to the jailed worker. HOT 1
- Best way to pass large data set into jailed script (browser)?
- Cannot read property 'whenEmitted' of undefined
- Add setting for "fallback to iframe jailing only" functionality, and timeout value
- Improve Jail Isolation via Content-Security-Policy HOT 1
- CVE-2022-23923 HOT 2
- Pass values to jailed code HOT 2
- Passing interface with sub functions not working
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jailed.