I am trying to use Caja to sandbox users' games, to prevent malicious code from being run, however when using Caja you us separate host and guest pages eg. example.com/host and example.com/guest
My concern is that an attacker could simply link to the unsandboxed example.com/guest, and bypass the sandbox entirely. Is there any way to protect against this, such as dynamically loading the html from a string, or blocking direct access to example.com/guest? -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
