JS Sandboxing via Harmony Proxies and with()

7/30/2015 - 12:31 PM

JS Sandboxing via Harmony Proxies and with()

// in new iframe

var whitelist = {
  // add whitelisted globals
};

var handler = {
  // Fundamental traps
  getOwnPropertyDescriptor: function(name) {
    var desc = Object.getOwnPropertyDescriptor(whitelist, name);
    // a trapping proxy's properties must always be configurable
    if (desc !== undefined) { desc.configurable = true; }
    return desc;
  },
  getPropertyDescriptor:  function(name) {
    var desc = Object.getPropertyDescriptor(whitelist, name); // not in ES5
    // a trapping proxy's properties must always be configurable
    if (desc !== undefined) { desc.configurable = true; }
    return desc;
  },
  getOwnPropertyNames: function() {
    return Object.getOwnPropertyNames(whitelist);
  },
  getPropertyNames: function() {
    return Object.getPropertyNames(whitelist);                // not in ES5
  },
  defineProperty: function(name, desc) { },
  delete:       function(name) { return false; },   
  fix:          function() {
    // As long as obj is not frozen, the proxy won't allow itself to be fixed
    return undefined; // will cause a TypeError to be thrown
  },
   
    // derived traps
  has:          function(name) { return true;},
  hasOwn:       function(name) { return true;},
  get:          function(receiver, name) { return whitelist[name]; },
  set:          function(receiver, name, val) { return false; }, // don't allow
  enumerate:    function() {
    var result = [];
    for (name in whitelist) { result.push(name); };
    return result;
  },
  keys: function() { return Object.keys(obj) }
};

var proxy = Proxy.create(handler);

(function() {
  with(this) {
    // untrusted code here
  }
}).call(proxy);

Cacher is the code snippet organizer for pro developers

We empower you and your team to get more done, faster

JS Sandboxing via Harmony Proxies and with()