24

I've been working on a JS library and would like to setup a demo page on Github that allows, for example, users to define their own callbacks and execute commands.

I know "eval() is evil" and I can see how blind eval() of scripts could lead to XSS and other security issues. I'm trying to cook up some alternative schemes.

I really enjoy the interactivity of jsFiddle. I've taken a look at their source but was hoping someone could lay out here how jsFiddle allows and executes user-defined JavaScript without being dangerous. So long as it doesn't involve a 3rd party echo server, I'm hoping I can emulate the approach.

Improve this question

1 Answer 1

Reset to default
29

jsFiddle executes user scripts on a separate domain. i.e. It loads an iframe containing a page that executes the JavaScript. The page in this iframe must be on a separate domain (in this case, http://fiddle.jshell.net) that has nothing that can be attacked (no cookies). (try it and see) Therefore, it can't interact with the parent frame and it can't steal cookies.

You can actually do this without a separate server by placing a static page in a separate domain that reads from its querystring in Javascript.
You can communicate back using the page title (and so can the enemy).

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

What does it mean to execute on a separate domain -- load an iFrame containing a page that executes the JavaScript?
@editor: Exactly. The page in the <iframe> must be on a separate domain that has nothing that can be attacked (no cookies)
@SLaks - Why does alert(document.cookie); works in jsFiddle?
a bit late. @ShlomiHassid the security concerns revolve around access to cookies, NOT access to your browser environment. hence, alert('hello') works and outputs "hello" in an alert box, but alert(document.cookie) only outputs an empty string (the alert box does still show up, but doesn't show any cookies unless the jshell.net domain has cookies on it)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.