javascript - How to create a worker in a sandboxed iframe? -


i building sandbox running untrusted code. reason create sandboxed iframe (which has allow-scripts permission set in sandbox attribute) in order protect origin, , inside iframe create web-worker ensure separate thread , prevent freezing main application in case untrusted code has infinite loop instance.

the problem is, if try load sandbox on https, recent google chrome not allow create worker. on other browsers works, , works if load sandbox in chrome via http.

here code:

index.html:

<!doctype html> <html>   <head>     <title>sandbox test</title>     <script type="text/javascript" src="main.js"></script>   </head>   <body></body> </html>

main.js:

// determining absolute path of iframe.html var scripts = document.getelementsbytagname('script'); var url = scripts[scripts.length-1].src     .split('/')     .slice(0, -1)     .join('/')+'/iframe.html';  window.addeventlistener("load", function() {     var iframe = document.createelement('iframe');     iframe.src = url;     iframe.sandbox = 'allow-scripts';     iframe.style.display = 'none';     document.body.appendchild(iframe);      window.addeventlistener('message', function(e) {         if (e.origin=='null' && e.source == iframe.contentwindow) {             document.write(e.data.text);         }     }); }, 0);

iframe.html:

<script src="iframe.js"></script>

iframe.js:

var code = 'self.postmessage({text: "sandbox created"});'; var url = window.url.createobjecturl(     new blob([code], {type: 'text/javascript'}) );  var worker = new worker(url);  // forwarding messages parent worker.addeventlistener('message', function(m) {     parent.postmessage(m.data, '*'); });

demo:

http://asvd.github.io/sandbox/index.html - http demo (works everywhere)

https://asvd.github.io/sandbox/index.html - https demo (doesn't work in chrome)

https://github.com/asvd/asvd.github.io/tree/master/sandbox - source (exactly inlined in question)

google chrome complains:

mixed content: page @ 'https://asvd.github.io/sandbox/iframe.html' loaded on https, requested insecure worker script 'blob:null/a9f2af00-47b1-45c1-874e-be4003523794'. request has been blocked; content must served on https.

i tried load worker code https file instead of blob, not permitted anywhere, since cannot access files of same origin iframe.

i wondering if there opportunity make such sandbox work in chrome, without adding allow-same-origin permission iframe.

as have discovered, chrome won't let access non-https content (such data blob) https page, , treats blob urls not being https. , without allow-same-origin, can't load worker script files domain.

my suggestion have iframe served separate https-served domain (/subdomain), , have both allow-scripts , allow-same-origin. due being on separate domain, code in iframe still won't able access dom/data of parent page.


Comments

Post a Comment

Popular posts from this blog

angularjs - ADAL JS Angular- WebAPI add a new role claim to the token -

i have created angular spa webapi backend using adal js authentication.as there no roles in ad, need manually add role claims in order give users access different api controllers. the roles stored in database. expecting inject claim through call webapi after authentication ad. webapi code might this. identity.addclaim(new claim("role", "user")); var ticket = new authenticationticket(identity, props); var accesstoken = startup.oauthbeareroptions.accesstokenformat.protect(ticket); is possible replace adal idtoken new token? is viable solution or there other better way handle this? as initial token generated azuread, possible edit token add new claim? appreciated. graph api supporting group claims. see here: http://justazure.com/azure-active-directory-part-4-group-claims/ if @ examples on page, users assigned groups , app can check group in claims. in current version of portal, need app manifest , modify it.
Read more

php - CakePHP HttpSockets send array of paramms -

i problem when make request (i can request). $link = 'http://uri/path/?param1=1&sid=2&sid=3&sid=4' $http = $httpsocket = new httpsocket(); $res = $httpsocket->get($link); if check request pr($http); i see : [line] => /url/path/?param1=1&sid%5b0%5d=2&sid%5b1%5d=3&sid%5b2%5d=4 http/1.1 and i'm getting empty response because server doesn't know parameters sid%5b0%5d=2 when try send parameters array : $data = array('param1' => '1', 'sid' => array('2','3', '4')); i see same changes %5b0%5d - additional indexes. how fix it? unfortunately , can not change server side, if send request in browser, i'll normal response in json format. when make request, can parameters this: $param1 = $_get['param1']; $sid= $_get['sid']; tip: use diferente names parameters. have multiples sid. use sid1, sid2, sid3... update: can parameters this:
Read more

node.js - Using Node without global install -

i'm working on few node & electron (atom shell) projects , i'm curious how them work without user having install node globally. i've seen few applications including node directory in project contains node.exe binary. how go setting node project use binary? edit: thought should add, i've searched everywhere answer this, unrelated results.
Read more