0

Note: I haven't been able to find question on the site, if it exists close this as duplicate.

For out application we have a browser based client using javascript. Our application follows client server architecture, but is deployed only on premise ie it is not exposed to web. I am thinking of providing limited scripting support to user (using javascript) somewhat similar to that providing in desktop based application (like matlab)

  1. Is it safe to allow user to script.
  2. What is the safe way to implement (eval, using iframe etc)
Gaurav
  • 794
  • 2
  • 11
  • 32
  • 3
    The user can script anyway, he doesn't have to ask you. Your site runs in an application on _his_ computer, he can run userscripts. As for safe - [there is a way (web workers)](http://stackoverflow.com/questions/10653809/making-webworkers-a-safe-environment). However, it involves IE10+ (or another modern browser) (using a webworker with a whitelist) – Benjamin Gruenbaum Jun 22 '13 at 19:52
  • @BenjaminGruenbaum Yhanks if it is not possible to use web workers what is next safest alternative – Gaurav Jun 22 '13 at 20:01
  • The next best thing is probably [caja](https://code.google.com/p/google-caja/) . Another alternative is letting the users run JS in a VM (it'll make the scripts slow and it'll be hard for them to interact with user code. However I'd avoid it completely if I were you. – Benjamin Gruenbaum Jun 22 '13 at 20:03

1 Answers1

1

From a security perspective: Running scripts on the page is not a problem, A user can already do that by pressing f12 and opening up the console.

The problem is if you allow users to save js into your db which is then loaded on the page by another user.

Imagine if you had a commenting system that allowed script tags, a potential prankster can now perform any of the functions the user can.

Or even anchor tags <a href="javascript:pageFunction()">click on me</a>

If it is just for the user, I would append the scripts to the body.

var scr = document.createElement("script");
scr.textContent = 'alert("hi")';
document.body.appendChild(scr);
gkiely
  • 2,987
  • 1
  • 23
  • 37