I am currently looking into Google Caja to run user-supplied JS code in the brow

Question

I am currently looking into Google Caja to run user-supplied JS code in the browser and in Node.

So far, I understand, that, in a browser context, "cajoled code" disallows reading and messing with the window state by running unsafe code through a full-blown parser that gets rid of all kinds of attack vectors, and then safely executing that code in an iframe of the same origin.

However, I am currently working on a solution using HTML5's Worker (see here) and it seems to have the same effect. What does Caja have to offer that Worker does not have, other than the ability to customize security policies? Does it have any additional safety features?

Explanation / Answer

Whether Caja has a security advantage depends on what your goals are.

These are the main features Caja offers for code sandboxing that all sandboxing methods currently available in browsers do not, as far as I know:

Synchronous interaction: you can define APIs which can be called by the guest code and respond immediately

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.