0

We are creating a web application (using Sencha Ext JS) and this application needs to handle AddIn web applets that become part of the main application. But we need security as we will not be writing all of the AddIns and we don't want an AddIn able to perform actions in the context of our main app.

This would be easy if the AddIn is opened in an IFrame inside our main app's web page. But we cannot limit it to that. An AddIn may have no IFrames needed. It may also need several. And these may be created on the fly, or exist for the life of the AddIn.

The AddIn may need to display a pop-up window at times.

So, the questions I have are, in a sandboxed setup:

  1. Where/how do I run the JavaScript for the AddIn? I need to call initialize() on the AddIn code and leave that code running - in some kind of sandbox.
  2. How do I give the AddIn the ability to display a pop-up (not a distinct browser window, but a window rendered over my contents in the main browser)?
  3. I think creating an IFrame on the fly is easy - I just re-render my main window with the IFrame in it???
  4. The AddIn may be on a different domain. So CORS or JSONP? We can require newer browsers so I'm leaning CORS.
  5. What am I forgetting?

Update: I've learned a rock solid sandbox is not doable at present. My question is what can I do? Even a little is better than nothing. And how should I structure it so that when the browsers do provide real sandboxing, I'll be set up to easily take advantage of it.

thanks - dave

David Thielen
  • 28,723
  • 34
  • 119
  • 193
  • That might be an [interesting question](http://stackoverflow.com/questions/195149/is-it-possible-to-sandbox-javascript-running-in-the-browser) too. But I think you checked that already. – Knickedi Oct 31 '13 at 23:20
  • might get a lot of ideas by looking at angular.js framework as far as how to register your addins – charlietfl Oct 31 '13 at 23:48

0 Answers0