1

Quick sidenote: this is not a "possible duplicate" of the post Is It Possible to Sandbox JavaScript Running In the Browser? , it had nothing about cookies - and I need to ask about cookies. I did read the answers, though.

Hello! I have a webpage where (registered users) can create their own HTML pages and access and edit them easily.

Each time a user does an action, to prove that the user who does the action IS the user on which account the action is done (in other words, to verify a user), a login token is sent to the server along the action that has to be done. (Quick note: the token I am storing is NOT the user's password, it is a randomly generated string which changes on each login). And this works, but there is a problem.

As the users have an ability to create their own HTML pages, someone could create a page which reads the user's login cookie and sends it to someone. Using this method, someone could get inside someone else's account.

I heard about https://developers.google.com/caja/ - something which seemed very useful. I read the CAJA page, but there was nothing about preventing cookies.

Ideally, I would like users to still be able to store and read their own cookies, but not the login token one. Though that is probably impossible.

So, completely blocking user-created scripts from reading or writing cookies would work.

But there's a problem: I am completely new to CAJA. Could someone explain how to block cookies using CAJA or in fact - anything like it?

Thank you in advance

Community
  • 1
  • 1
Tee-Tree
  • 31
  • 5

1 Answers1

0

this question is pretty old but I just started using Caja. After implementing I wrote some 'guest code' that tried a few things: creating a popup (alert method), reading cookies and accessing global variables. The code running inside Caja couldn't do any of those things. If I run that same code outside Caja it can. So Caja will work for what you are trying to do.

Here is my example:

var htmlId = "performance";
            caja.initialize({
                cajaServer: 'https://caja.appspot.com/',
                debug: true
            });

            caja.load(document.getElementById(htmlId), undefined, function (frame) {
                @* Set-up config object for the activity *@
                var config = {};
                config.keydown = false;
                                   frame.code('https://localhost:44327/badcode', 'application/javascript')  // (6)
                    .run(function (guestF) {  // (7)
                        var app = frame.untame(guestF);  // (8)
                        console.log(app);
                        startCommandLineActivity(config, app);
                    });
            });

The untrusted code is loading via the url 'localhost/badcode' which is just a .js file.

Their docs are pretty good, I'd suggest you start there: https://developers.google.com/caja/docs/runningjavascript/

Lin Meyer
  • 712
  • 5
  • 19