Sandboxed JavasScript function

Question

I'm creating an extension for Chrome (Just noraml HTML/JS). I would like to make an advanced scripting mode for users.

In a form I'll put this:

function generateString(){
    //EDITABLE PART
    return val;
}

if somebody for example put window.location="", nothing should happen, or if somebody put myVar=55; (previously defined in my code), it shouldn't do anything either. The only thing that I want to access is the return value.

Is this possible somehow? Googled for it and found something about putting it into a iframe, but they could still do window.location="javascript:dosomehaxing()", right?

Thanks a lot!

Does it really matter? True, a user can do "evil" things but such things will only affect his own computer anyway. He can edit your extension's script at any time as well. — pimvdb, Oct 27 '11 at 16:52
True, but I would like users to be able to share the script to others too, and that could turn out quite dangerous if somebody can run javascript through an extension with access too "all pages" — Henrik Karlsson, Oct 27 '11 at 17:59
see http://stackoverflow.com/questions/195149/is-it-possible-to-sandbox-javascript-running-in-the-browser — serg, Oct 27 '11 at 18:35
I wonder if you could send the string version of the user's script to a separate node server. It runs the script and returns the results, but this limits what the programmer can do. — Michael Warner, Jul 15 '16 at 16:24

score 0 · Accepted Answer · edited May 23 '17 at 12:32

0

Since nobody posted an answer in the answer section, I'll post my findings here:

From the thread that serg commented with, the question "Is It Possible to Sandbox JavaScript Running In the Browser?", JSandbox seems to be the best, lightweight option to me. Its syntax is quite simple, too.

edited May 23 '17 at 12:32

Community

1
1

answered Aug 23 '12 at 17:43

Henrik Karlsson

5,559
4
25
42

Sandboxed JavasScript function

1 Answers1