0

We're building a site in which we will include vendor content and we also have students who code widgets that we include in our site. This may break our site when they modify the DOM outside their widget's scope. Is there a way to give vendor content (or student's widgets) a sandbox other than an iFrame? Even web components seem to allow traversing and modifying content outside their scope.

edit: Harris pointed me to this thread in the comments: Is It Possible to Sandbox JavaScript Running In the Browser?, this is basically what I have been looking for.

Edit: To the person marking this as a duplicate: ADSafe is one approach to this general question, but not specifically what I was asking for. I am asking for the options we have as developers, not how to use ADSafe nor am I having troubles getting it to work.

Community
  • 1
  • 1
Lukas
  • 9,752
  • 15
  • 76
  • 120
  • Why are you avoiding iframes? – Harris May 12 '16 at 15:08
  • I makes a lot of things really hard (like dynamic heights of things) and overall drains performance, especially on mobile. – Lukas May 12 '16 at 15:11
  • I don't know that I totally agree with that assessment, but ok. Are you using any frameworks? My first thought is to use AngularJS and have directives that have to be approved, which are self-contained and modular. – Harris May 12 '16 at 15:13
  • Still, no one would stop you from accidentally doing things like `window.document.body.innerHTML = 'I just destroyed everything';` – Lukas May 12 '16 at 15:15
  • 2
    That's where approval comes in. Without the sandbox feature of iframes, I can't think of anything that matches what you're looking for (hence the comment, rather than a full answer). Another question that seems to be asking a similar thing is [here](http://stackoverflow.com/questions/195149/is-it-possible-to-sandbox-javascript-running-in-the-browser). Maybe that will help. – Harris May 12 '16 at 15:22
  • Scope is a Javascript thing, DOM manipulation is an API available from every scope. Only sandboxing is by using iframe – Kulvar May 12 '16 at 15:42
  • Thanks Harris and Kulvar. Actually the thread you posted Harris, is more or less exactly what I have been looking for, thank you! – Lukas May 13 '16 at 08:48
  • Possible duplicate of [Can't get simple ADsafe widget to work](http://stackoverflow.com/questions/7162379/cant-get-simple-adsafe-widget-to-work) – Paul Sweatte May 11 '17 at 19:16

0 Answers0