On Fri, Feb 9, 2018 at 12:32 PM, Marc H <zappythe...@gmail.com> wrote:

> I am trying to use Caja to sandbox users' games, to prevent malicious code
> from being run, however when using Caja you us separate host and guest
> pages eg. example.com/host and example.com/guest
>
> My concern is that an attacker could simply link to the unsandboxed
> example.com/guest, and bypass the sandbox entirely.
>
> Is there any way to protect against this, such as dynamically loading the
> html from a string, or blocking direct access to example.com/guest?
>

You can load content from a string — instead of frame.code use
frame.content(url,
content, mimeType) where url is only used for relative-URL resolution. Or
you can use a custom fetcher function in the uriPolicy which receives the
specified URL and returns the content obtained in some other way than an
XHR.

You could also use a separate domain for hosting "untrusted user content"
which has nothing to attack.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-caja-discuss+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to