Dynamic guest page embedding

Skip to first unread message

Marc H

Feb 9, 2018, 3:32:16 PM2/9/18
to Google Caja Discuss
I am trying to use Caja to sandbox users' games, to prevent malicious code from being run, however when using Caja you us separate host and guest pages eg. example.com/host and example.com/guest

My concern is that an attacker could simply link to the unsandboxed example.com/guest, and bypass the sandbox entirely.

Is there any way to protect against this, such as dynamically loading the html from a string, or blocking direct access to example.com/guest?

Kevin Reid

Feb 9, 2018, 3:37:32 PM2/9/18
to Google Caja Discuss
You can load content from a string — instead of frame.code use frame.content(url, content, mimeType) where url is only used for relative-URL resolution. Or you can use a custom fetcher function in the uriPolicy which receives the specified URL and returns the content obtained in some other way than an XHR.

You could also use a separate domain for hosting "untrusted user content" which has nothing to attack.

Reply all
Reply to author
0 new messages