tag:blogger.com,1999:blog-34454975.post5529992178695691216..comments2023-06-28T16:58:41.189+02:00Comments on Web Reflection: Elsewhere - Sandboxes Have Never Been That EasyAndrea Giammarchihttp://www.blogger.com/profile/16277820774810688474noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-34454975.post-83333368558661944192009-11-09T12:11:42.650+01:002009-11-09T12:11:42.650+01:00Hope you still monitor this. Do you have a referen...Hope you still monitor this. Do you have a reference which browsers block when a script tag is loaded in an iframe? I currently try to find a way for proper error handling with jsonp when one request goes to /dev/null and is blocking the execution of the rest.Markushttps://www.blogger.com/profile/13129358179197139335noreply@blogger.comtag:blogger.com,1999:blog-34454975.post-69696989720657144562009-07-15T18:44:04.297+02:002009-07-15T18:44:04.297+02:00uh, ok sorry, I silly stopped at the first link. A...uh, ok sorry, I silly stopped at the first link. ApologiesAndrea Giammarchihttps://www.blogger.com/profile/16277820774810688474noreply@blogger.comtag:blogger.com,1999:blog-34454975.post-71551501948961590032009-07-15T18:40:55.614+02:002009-07-15T18:40:55.614+02:00very well :P, just to let you know, in that last p...very well :P, just to let you know, in that last post I told you you were right (note this part: "I didnt know there was another definition of sandbox.").Anonymoushttps://www.blogger.com/profile/12601594427575096471noreply@blogger.comtag:blogger.com,1999:blog-34454975.post-35263496728113181632009-07-15T18:37:18.493+02:002009-07-15T18:37:18.493+02:00The therm is correct, JavaScript speaking. Gareth ...The therm is correct, JavaScript speaking. Gareth asked me to test its sandbox since the beginning and I still tell you it is not safe. Feel free to think what you want but please stop with this flame, OK? Elsewhere is not about security it is about sandboxing, which is a completely different thing, got it? :)Andrea Giammarchihttps://www.blogger.com/profile/16277820774810688474noreply@blogger.comtag:blogger.com,1999:blog-34454975.post-73289456859655056782009-07-15T18:20:48.036+02:002009-07-15T18:20:48.036+02:00So, the problem here is the use of the term "...So, the problem here is the use of the term "sandbox".<br /><br />http://en.wikipedia.org/wiki/Sandbox_(computer_security)<br /><br />vs.<br /><br />http://en.wikipedia.org/wiki/Sandbox_(software_development)<br /><br />As I understand sandbox is something that is meant to be to run unsafe code. I didnt know there was another definition of sandbox.<br /><br />Oh! and about the sandbox escaping tricks, I know about them, actually I'm very familiar with them.. I could say its my job haha, but as I said before a couple of times, a safe sandbox in firefox is possible.. (acknowledged by gareth heyes, giorgio maone, mario heiderich, and a few other pros :D)<br /><br />Greetings!!Anonymoushttps://www.blogger.com/profile/12601594427575096471noreply@blogger.comtag:blogger.com,1999:blog-34454975.post-71609860135989193142009-07-15T17:47:17.025+02:002009-07-15T17:47:17.025+02:00sdc, the document issue has been solved today via ...sdc, the document issue has been solved today via my patch to jQuery, check that post/ticket so I am able to use 100% of jQuery from a sandbox without problems (a simple search via id is a problem if document is not the correct one).<br /><br />About safety, again, to retrieve the native sandbox window you just need this:<br /><i>var window = function(){return this}();</i><br />you can use delete to retrieve original objects (not exactly original but a new copy of them).<br /><br />I have never said Elsewhere make JavaScript more secure, all I was talking about is compatibility between libraries and a space to put whatever we want.<br /><br />I do not think a sandbox can be considered safe, but if you think so, it is just a matter of time before you'll think different, IMHO :)Andrea Giammarchihttps://www.blogger.com/profile/16277820774810688474noreply@blogger.comtag:blogger.com,1999:blog-34454975.post-11006032445843480652009-07-15T17:36:51.398+02:002009-07-15T17:36:51.398+02:00> security cannot be obtained via a sandbox
I ...> security cannot be obtained via a sandbox <br />I beg to differ, at least on firefox this is possible, check he previous linkAnonymoushttps://www.blogger.com/profile/12601594427575096471noreply@blogger.comtag:blogger.com,1999:blog-34454975.post-42914984715607137752009-07-15T17:27:25.458+02:002009-07-15T17:27:25.458+02:00sdc, there is nothing secure in any case and Elsew...sdc, there is nothing secure in any case and Elsewhere purpose as I said is to create an empty environment. Elsewhere purpose is NOT to create anything more secure because security cannot be obtained via a sandbox while a <b>scope</b> with global function or prototypes will not affect and will not be affected from other scripts. That is why I have already implemented a sandbox version of jQuery which could run without problems in a window with Prototype or other libraries.<br /><br /><a href="http://groups.google.com/group/jquery-dev/browse_thread/thread/403a1b7869e95a4c/477381904f872c4a?lnk=gst&q=sandbox#msg_bd544c6d350f6b3c" rel="nofollow">have a look</a> ;)Andrea Giammarchihttps://www.blogger.com/profile/16277820774810688474noreply@blogger.comtag:blogger.com,1999:blog-34454975.post-51032366635437069212009-07-15T17:24:35.845+02:002009-07-15T17:24:35.845+02:00Daniel, Elsewhere purpose is to create one or more...Daniel, Elsewhere purpose is to create one or more sandboxes and execute whatever you need in a clean environment. Elsewhere itself does not change anything about that sandbox, so it is a bit more flexible than your PJ library which is interesting in any case and I did not know it.Andrea Giammarchihttps://www.blogger.com/profile/16277820774810688474noreply@blogger.comtag:blogger.com,1999:blog-34454975.post-738705671089885712009-07-15T16:34:13.378+02:002009-07-15T16:34:13.378+02:00Hi!
I've been playing with this for some time...Hi!<br /><br />I've been playing with this for some time in the past, and I think you should express that this sandbox should not be used for security, since sandboxed scripts have access to the parent window (as you show).<br /><br />I have made a safe sandbox using this approach that only works on firefox (safe meaning that it wont allow dangerous code to be execute nor traverse the DOM).<br /><br />//sandbox.sirdarckcat.net/<br /><br />I also have a contest that uses the sandbox! if you are interested :)<br /><br />Oh, and jQuery wont work in all cases (but it works most of the time anyway) because you can't import nodes in the current document if they created on other documents (eg. HTMLElement.ownerDocument is different) and are cloned nodes (in that case you should use the importNode function, thing that jQuery doesnt do). This is a non issue most of the times since the operations that jQuery does don't make reference to the document untill they are appended, but a code like this one:<br /><br />parent.jQuery=$;<br />parent.jQuery("\x3cimg src=x onerror=alert(location)>")<br /><br />will alert the framed location (just to give an example, in WebKit and IE there are some other scenarios)<br /><br />Greetings!!Anonymoushttps://www.blogger.com/profile/12601594427575096471noreply@blogger.comtag:blogger.com,1999:blog-34454975.post-88985724701145037822009-07-15T16:03:14.723+02:002009-07-15T16:03:14.723+02:00look like my experiment http://github.com/Steida/P...look like my experiment http://github.com/Steida/PJ/tree/masterAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-34454975.post-35273469251326775212009-07-13T23:30:44.197+02:002009-07-13T23:30:44.197+02:00Very cool.Very cool.rickhttps://www.blogger.com/profile/14401916337192530246noreply@blogger.comtag:blogger.com,1999:blog-34454975.post-67008004765694755772009-07-12T23:37:04.985+02:002009-07-12T23:37:04.985+02:00Josh, of course I created it ;) CheersJosh, of course I created it ;) CheersAndrea Giammarchihttps://www.blogger.com/profile/16277820774810688474noreply@blogger.comtag:blogger.com,1999:blog-34454975.post-88533946216939810882009-07-12T23:14:06.344+02:002009-07-12T23:14:06.344+02:00Did you create this? It's brilliant.Did you create this? It's brilliant.Josh Powellhttps://www.blogger.com/profile/05626242869855645506noreply@blogger.com