Recently I have been working on a new project,
dojox.secure, to add a secure mechanism to Dojo for loading and executing
untrusted code and widgets, and I wanted to share what I have now and see if
there is any feedback the API, and security holes that people might be aware.
dojox.secure is based on ADsafe and is intended
to provide a full turnkey framework for loading untrusted widgets. dojox.secure
consists of several key components:
1. xhrPlugins - This is the XHR plugin architecture
that allows developers to easily use the most appropriate cross-site mechanism
to securely load untrusted cross-site resources (the previously window.name
transport could plugin here).
2. ADsafe style object-capability validator. This
environment, it can only access objects that have been specifically granted to
the sandbox. This can run on the client, and can consequently be used when
resources are directly loaded from the browser.
3. Secure DOM facade. This is a DOM wrapper that
only allows access to a provided element and it's children. Query operations and
such are limited to this subset of the DOM. This performs checks on all
innerHTML sets, DOM manipulation, and CSS to ensure that unsafe priviledge
escalating code does not enter the DOM.
4. Safe Dojo Library - This is a safe subset of the
Dojo library that can be used by the untrusted code. Safe versions of several
otherwise unsafe, but very important functions are included such as query().
There are also some additional language functions that are provided to
compensate for the language restrictions enforced by the object-capability
5. Sandbox creator that brings all these components
together so developers can easily load HTML or scripts and sandbox them within a
single DOM element. The sandbox will also provides loading facilities for
dependencies that these resources may have (scripts and css files) and safely
loads and sandboxes them as well.
The current demo and the API that is available for
untrusted code can be seen here:
An example of creating the sandbox and loading
untrusted code looks like:
var sandboxContainerElement =
var sandbox =
with their DOM subset using the provided "element" variable. I have also
which would return an object that would have a render(element) method that the
container code could execute to display a widget within a provided element. I
think this approach could be more organized and efficient, but less traditional
in terms of how a script interacts with the DOM.
Let me know if anyone has any thoughts on this
design, and if you can find any security exploits. Hopefully the demo page makes
it as easy possible to test possible exploits (so you don't have to report
----- Original Message -----
Sent: Monday, April 21, 2008 10:58
I have been working on experimental project to
create a mechanism for securely running untrusted scripts with Dojo. This
project uses ADsafe-like object-capability limiting in combination with a DOM
facade. The idea is that an untrusted script can executed, but it will only
have access to that part of the DOM (and it's descendants) that you provide
it, and it won't be able to access the window object or other sensitive global
objects (like cookies). Anyway, I presume that I don't have an airtight
implementation yet, but I would love to have some help in trying to find holes
in this security model, to see if this is going to work. I have created a test
page, where you can enter a script and execute it and interact with the DOM,
and see if you can access anything outside the provided sandbox:
This system does create limitations (several are
This would be used in combination with some type
of secure loading mechanism (proxy, cross-site XHR, XDR, postMessage, etc.),
to load a script in text form, and then the secure loader would execute it. I
think this may have some real potential, we could provide a means for
untrusted widgets and ads to be securely loaded such that they couldn't mess
with main page.