1

I have a very simple question, with maybe a less simple answer:

I want to construct an html file, including css and javascript. Parts of the code could come from external users, and prevent it from having any network access whatsoever. This means: no AJAX calls using javascript, no programatic redirects, but even no <img> tags with src= or <a> tags with href=.

  • Content Security Policy almost seemed to do the job, but a plain old hyperlink like <a href="https://evil.com/someUserData">click me</a> still seems to work.
  • Google Caja seems to be doing the job, but I want to understand completely how this works and I'm new to Java.

So, my questions are:

  • Is there any way this sandbox functionality can be accomplished with CSP?
  • Is Google Caja (using uriPolicy) a secure way of preventing any home-phoning from hackers?
  • Any other tips & tricks?
Sventies
  • 2,314
  • 1
  • 28
  • 44
  • What are you *actually* trying to do? You are trying to control what the client user agent can do which never works. – zero298 Jul 05 '17 at 19:23
  • Nah, it's more that I want to protect an unknowing client from getting their data sent to malicious users. These malicious users may have provided parts of the html code before it gets into the sandbox – Sventies Jul 05 '17 at 19:25
  • 2
    Are you trying to use text from users? If so, escape it. Or, do you need HTML but with nothing but some basic formatting? – Brad Jul 05 '17 at 19:25
  • I actually want to use javascript that users share with each other, but just prevent this script (or html, or a combination) to send sensitive data to unkown sources – Sventies Jul 05 '17 at 19:26
  • https://developers.google.com/caja/docs/about/ seems to state that the Google service (Caja) runs the 3rd party Javascript through a scrubber, where it inserts code safety checks and probably removes/disables their use of Javascript APIs that you don't allow. For instance, you say the 3rd party code can't use AJAX, Caja analyzes the Javascript for AJAX and "cajoles" it, preventing those AJAX calls. – Nate Jul 05 '17 at 20:08
  • See https://stackoverflow.com/questions/43813770/how-to-intercept-all-http-requests-including-form-submits/43815800#43815800 for an explanation of how you maybe could do this using a Service Worker, with the modification that in your respondWith(…) method, you never call fetch(…) but instead just drop the requests on the floor. – sideshowbarker Jul 06 '17 at 01:12

0 Answers0