Open in app

Sign in

Write

Sign in

Oh wow this is cool!
2
1

d0nut

Han
1 min readJul 10, 2019

see if I can understand how it’s blocking generators

Well first of all, they didn’t, at first: https://blog.bentkowski.info/2017/11/yet-another-google-caja-bypasses-hat.html

But to be clear, they don’t just eval(new Function()) the code like you do. They do a full parse (with Acorn), static analysis, and source-to-source compile. So they control a lot more about the environment their sandboxed JS runs in than the apparent global scope.

Nonetheless, I actually agree with you that not using iframe or worker is a fool’s errand (as demonstrated by that blogpost) — I’m planning to use a JS sandbox only as an additional defense-in-depth against untrusted JS inside a worker in an iframe (if I’m going to run untrusted code in my customer’s browsers, I better be paranoid).

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Han
Han

Written by Han

16 Followers
14 Following

https://twitter.com/laughinghan

Responses (1)

Write a response

What are your thoughts?

d0nut

Jul 11, 2019

> But to be clear, they don’t just eval(new Function()) the code like you do. They do a full parse (with Acorn), static analysis, and source-to-source compile. So they control a lot more about the environment their sandboxed JS runs in than the apparent global scope.
Yup! I read the code :)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams