Yes, for basic scripts gf3's module works fine, but still stick to OS security as well in case a new JS exploit arises. The reasons it is ok is as follows:
1. Communication uses serialization in a safe runner generated inside the context that is in strict mode. (General idea from #7) 2. RPC is not possible from outside the context into the context and vice versa. It is a code dump and run. Potentially you could patch this using something ala process.send and pass strings around, but there are other solutions existing. Soo... #2 is generally not going to make life easy for you unless you have all the data up front. SES uses a wrapping/unwrapping (still classify this as #7, but done very thoroughly) technique that is a bit more thorough and allows using functions inside and outside the sandbox but limits you to some large subset of JS (you generally don't lose much). I really would need to know much more about what you are trying to do with user code beyond run it to give more input. -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
