Does 'separate domain sandboxing' (protecting from JS cookie hijacking) still work with a subdomain?_问答_开发者

Does 'separate domain sandboxing' (protecting from JS cookie hijacking) still work with a subdomain?

开发者 https://www.devze.com 2023-01-11 03:57 出处：网络

A little further detail: I\'m running a site where users can submit Javascript freely Other people will preview this Javascript \'live\'

A little further detail:

I'm running a site where users can submit Javascript freely
Other people will preview this Javascript 'live'
There will be basic measures in place to stop naughties like eval(), but inevitably some may unfortunately slip through
The site is mysite.com, I gather running开发者_如何学C the scripts from myotherdomain.com will prevent cookie hijacking, however will running them from js.mysite.com prevent it too? (read: cheapskate, save money on an extra domain)
Finally, will running it in an <iframe> from mysite.com to either a separate domain or a subdomain still work as effectively as loading an entirely new site?

The Same Origin Policy(SOP) apply for subdomains, ports, protocols and domain.
If there is a difference in one of these properties the SOP will prevent the access.

As long as you do not use document.domain on your main page, the subdomain will get the SOP protection. If you use document.domain in the main page a script could do the same in the iframe and by-pass the SOP.

Now if you want to enable some safe communication between iframes, you can use window.postMessage if you target modern browsers and mobiles.

And for older browsers there are some tricks to do, like the window.name trick

This does not prevent Cross Site Scripting(making a POST to your domain with your current valid cookies from the iframe). You need to use a secret token that only the javascript in your main page knows and that will be sent for each request.

The best way is to run it in an appropriate sandbox, not to strip some code. I think you can do stuff like delete eval; or eval = null;. You might have additional luck with delete document or document=null or delete document.cookie. Test on a variety of browsers, of course.

EDIT: Also consider using "httponly" cookies, which (on many browsers) prevents them from being accessed in JavaScript. It's originally an IE extension, but has been incorporated to most major browsers IIRC.

Yes a subdomain is the same, except for cookies that are domain cookies.