Loading ...
Sorry, an error occurred while loading the content.


Expand Messages
  • Kris Zyp
    Recently I have been working on a new project, dojox.secure, to add a secure mechanism to Dojo for loading and executing untrusted code and widgets, and I
    Message 1 of 1 , Jun 9, 2008
    • 0 Attachment
      Recently I have been working on a new project, dojox.secure, to add a secure mechanism to Dojo for loading and executing untrusted code and widgets, and I wanted to share what I have now and see if there is any feedback the API, and security holes that people might be aware. dojox.secure is based on ADsafe and is intended to provide a full turnkey framework for loading untrusted widgets. dojox.secure consists of several key components:
      1. xhrPlugins - This is the XHR plugin architecture that allows developers to easily use the most appropriate cross-site mechanism to securely load untrusted cross-site resources (the previously window.name transport could plugin here).
      2. ADsafe style object-capability validator. This validator ensures that loaded untrusted JavaScript can not access the global environment, it can only access objects that have been specifically granted to the sandbox. This can run on the client, and can consequently be used when resources are directly loaded from the browser.
      3. Secure DOM facade. This is a DOM wrapper that only allows access to a provided element and it's children. Query operations and such are limited to this subset of the DOM. This performs checks on all innerHTML sets, DOM manipulation, and CSS to ensure that unsafe priviledge escalating code does not enter the DOM.
      4. Safe Dojo Library - This is a safe subset of the Dojo library that can be used by the untrusted code. Safe versions of several otherwise unsafe, but very important functions are included such as query(). There are also some additional language functions that are provided to compensate for the language restrictions enforced by the object-capability validator.
      5. Sandbox creator that brings all these components together so developers can easily load HTML or scripts and sandbox them within a single DOM element. The sandbox will also provides loading facilities for dependencies that these resources may have (scripts and css files) and safely loads and sandboxes them as well.
      The current demo and the API that is available for untrusted code can be seen here:
      An example of creating the sandbox and loading untrusted code looks like:
      var sandboxContainerElement = document.getElementById("sandbox");
      var sandbox = dojox.secure.sandbox(sandboxContainerElement);
      You can currently load HTML or JavaScript from the sandbox object (or directly execute preloaded JavaScript). Scripts can interact with their DOM subset using the provided "element" variable. I have also considered an alternate scheme where one could execute untrusted JavaScript which would return an object that would have a render(element) method that the container code could execute to display a widget within a provided element. I think this approach could be more organized and efficient, but less traditional in terms of how a script interacts with the DOM.
      Let me know if anyone has any thoughts on this design, and if you can find any security exploits. Hopefully the demo page makes it as easy possible to test possible exploits (so you don't have to report uneasy feelings).
      ----- Original Message -----
      From: Kris Zyp
      Sent: Monday, April 21, 2008 10:58 AM
      Subject: dojox.secure

      I have been working on experimental project to create a mechanism for securely running untrusted scripts with Dojo. This project uses ADsafe-like object-capability limiting in combination with a DOM facade. The idea is that an untrusted script can executed, but it will only have access to that part of the DOM (and it's descendants) that you provide it, and it won't be able to access the window object or other sensitive global objects (like cookies). Anyway, I presume that I don't have an airtight implementation yet, but I would love to have some help in trying to find holes in this security model, to see if this is going to work. I have created a test page, where you can enter a script and execute it and interact with the DOM, and see if you can access anything outside the provided sandbox:
      This system does create limitations (several are noted on the page) on what you can do in JavaScript and with the DOM.
      This would be used in combination with some type of secure loading mechanism (proxy, cross-site XHR, XDR, postMessage, etc.), to load a script in text form, and then the secure loader would execute it. I think this may have some real potential, we could provide a means for untrusted widgets and ads to be securely loaded such that they couldn't mess with main page.
    Your message has been successfully submitted and would be delivered to recipients shortly.