Improving the sandbox

36 views

Skip to first unread message

Mike H

unread,

Aug 22, 2014, 2:27:13 AM8/22/14

to trib...@googlegroups.com

Was reading the following post -

Weaponizing jsFiddle, CodePen, and JSApp

http://vxhex.blogspot.com.au/2012/11/weaponizing-jsfiddle-codepen-and-jsapp.html

Tributary is susceptible to a standard top re-direct, ie -

top.location = "http://www.gawker.com";

You could add the sandbox attribute to the sandbox iframe to stop this type of behavior -

ie - sandbox="allow-same-origin allow-scripts"

Or, might this break other functionality?

Also, is there any reason why the CodeMirror window and controls are also within the sandbox domain? Typing the following line into Tributary redirects the entire bottom half of the display -

document.body.innerHTML = "<iframe src='http://www.gawker.com' style='width: 100%; height: 100%' />";

How difficult might it be to separate the display and only place it SVG in the sandbox? Example at - http://codemirror.net/demo/preview.html

Ian Johnson

unread,

Sep 8, 2014, 10:22:58 PM9/8/14

to Mike H, trib...@googlegroups.com

Mike,

Thanks so much for bringing this up and sharing your thoughts.

Right now the way it works is that the iframe that runs the code is on a different subdomain so that code can't reach up into the part of tributary that handles github logins.

We could make the code editors run outside of the iframe, but I just havent had time to refactor it to do that. The one nice thing about having the code in the inner iframe is that you can do introspection directly (there are options for inline console logging and AST parsing of the code). So I modify the codemirror instance using runtime values from the code. If I put the editor in the outer iframe I'd have to use postMessage to send that state over, which wouldn't be the worst thing and is probably how I'll do it when I refactor.

I'll have to try out the sandbox attribute, thanks again for letting me know.

Ian

--
You received this message because you are subscribed to the Google Groups "Tributary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tributary+...@googlegroups.com.
Visit this group at http://groups.google.com/group/tributary.
For more options, visit https://groups.google.com/d/optout.

--
Ian Johnson - 周彦

http://enja.org

Reply all

Reply to author

Forward

0 new messages