I am trying to use Caja to sandbox users' games, to prevent malicious code 
from being run, however when using Caja you us separate host and guest 
pages eg. example.com/host and example.com/guest

My concern is that an attacker could simply link to the unsandboxed 
example.com/guest, and bypass the sandbox entirely.

Is there any way to protect against this, such as dynamically loading the 
html from a string, or blocking direct access to example.com/guest?


You received this message because you are subscribed to the Google Groups 
"Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-caja-discuss+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to