[英]How to create a worker in a sandboxed iframe?
I am building a sandbox for running untrusted code. 我正在构建一个用于运行不受信任代码的沙箱。 For this reason I create a sandboxed iframe (which only has the
allow-scripts
permission set in its sandbox
attribute) in order to protect the origin, and then inside that iframe I create a web-worker to ensure a separate thread and prevent freezing the main application in case the untrusted code has an infinite loop for instance. 出于这个原因,我创建了一个沙盒iframe(其
sandbox
属性中只设置了allow-scripts
权限)以保护原点,然后在iframe中创建一个web-worker以确保一个单独的线程并防止冻结主要应用程序,以防不受信任的代码具有无限循环。
The problem is, if I try to load the sandbox over https, recent Google Chrome does not allow to create a worker. 问题是,如果我尝试通过https加载沙箱,则最近的Google Chrome不允许创建工作人员。 On other browsers it works, and it also works if I load the sandbox in Chrome via http.
在其他浏览器上它可以工作,如果我通过http在Chrome中加载沙箱也可以。
Here is the code: 这是代码:
index.html: index.html的:
<!DOCTYPE html>
<html>
<head>
<title>Sandbox test</title>
<script type="text/javascript" src="main.js"></script>
</head>
<body></body>
</html>
main.js: main.js:
// determining absolute path of iframe.html
var scripts = document.getElementsByTagName('script');
var url = scripts[scripts.length-1].src
.split('/')
.slice(0, -1)
.join('/')+'/iframe.html';
window.addEventListener("load", function() {
var iframe = document.createElement('iframe');
iframe.src = url;
iframe.sandbox = 'allow-scripts';
iframe.style.display = 'none';
document.body.appendChild(iframe);
window.addEventListener('message', function(e) {
if (e.origin=='null' && e.source == iframe.contentWindow) {
document.write(e.data.text);
}
});
}, 0);
iframe.html: Iframe.html的:
<script src="iframe.js"></script>
iframe.js: iframe.js:
var code = 'self.postMessage({text: "sandbox created"});';
var url = window.URL.createObjectURL(
new Blob([code], {type: 'text/javascript'})
);
var worker = new Worker(url);
// forwarding messages to parent
worker.addEventListener('message', function(m) {
parent.postMessage(m.data, '*');
});
Demo: 演示:
http://asvd.github.io/sandbox/index.html - http demo (works everywhere) http://asvd.github.io/sandbox/index.html - http演示(无处不在)
https://asvd.github.io/sandbox/index.html - https demo (doesn't work in Chrome) https://asvd.github.io/sandbox/index.html - https演示(在Chrome中不起作用)
https://github.com/asvd/asvd.github.io/tree/master/sandbox - source (exactly as inlined in this question) https://github.com/asvd/asvd.github.io/tree/master/sandbox - source(完全如此问题中的内联)
Google Chrome then complains: 谷歌Chrome然后抱怨:
Mixed Content: The page at ' https://asvd.github.io/sandbox/iframe.html ' was loaded over HTTPS, but requested an insecure Worker script 'blob:null/a9f2af00-47b1-45c1-874e-be4003523794'. 混合内容:“ https://asvd.github.io/sandbox/iframe.html ”上的页面是通过HTTPS加载的,但是请求了一个不安全的工作人员脚本'blob:null / a9f2af00-47b1-45c1-874e-be4003523794'。 This request has been blocked;
此请求已被阻止; the content must be served over HTTPS.
内容必须通过HTTPS提供。
I also tried to load the worker code by https from a file instead of a blob, but this is not permitted anywhere, since I cannot access the files of the same origin from an iframe. 我还试图通过https从文件而不是blob加载工作程序代码,但这在任何地方都是不允许的,因为我无法从iframe访问相同来源的文件。
I am wondering if there is an opportunity to make such a sandbox work in Chrome, without adding allow-same-origin
permission to the iframe. 我想知道是否有机会在Chrome中使这样的沙箱工作,而不向iframe添加
allow-same-origin
权限。
As you have discovered, Chrome won't let you access non-https content (such as a data blob) from a https page, and also treats blob URLs as not being https. 正如您所发现的,Chrome不允许您从https页面访问非https内容(例如数据blob),并且还将blob URL视为不是https。 And without
allow-same-origin
, it then can't load any worker script files from any domain. 如果没有
allow-same-origin
,则无法从任何域加载任何工作者脚本文件。
My only suggestion is to have the iframe served from a separate https-served domain (/subdomain), and then have both allow-scripts
and allow-same-origin
. 我唯一的建议是从单独的https服务域(/ subdomain)提供iframe,然后同时使用
allow-scripts
和allow-same-origin
。 Due to being on a separate domain, the code in the iframe still won't be able to access the DOM/data of the parent page. 由于位于单独的域中,iframe中的代码仍然无法访问父页面的DOM /数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.