0

I'm coding a js API that is going to be used by external customers and executed by my customers in their web browsers.

As this is potentially harmful for my web users (security holes etc.), I'd like to allow or disallow access to, at least, the document global variable and others like the XMLHTTPRequest API.

How can I do this?

EDIT: I was thinking on doing things like document = null on a wrapper to the functions the API users write, but it doesn't work. Also, using this kind of approach it is difficult to be thorough as there are too many workarounds and too many possibilities to take in account all of them.

Improve this question
3
  • Depending on how you're running their code it may be possible to shadow those variables. It's not easy cutting them out completely and may require strict mode. Good luck. Commented May 20, 2014 at 11:28
  • Don't code the API in JavaScript? Use the right tool for the job. JavaScript isn't a hammer for every programming problem. Commented May 20, 2014 at 11:53
  • George, the API can be in whatever language (in this case is `node.js) but the results of the API need to be js since this is meant to be code distributed to run in web browsers. I considered using Applets or Java Web Start but I don't want to earn my customers' mistrust by telling them to install stuff. Commented Nov 18, 2014 at 13:11

2 Answers 2

Reset to default
2

The answer is simple: You can't.

This may not be answer want, but those global variables can't be modified.

Try for yourself:

window = 1;
console.log(window) // Window {top: Window, window: Window, ...

document = false;
console.log(document) // #document (as in the document object)
document = null;
console.log(document) // #document (same)

window.document = false;
console.log(window.document) // #document

However, this does seem to be possible for XMLHttpRequest:

XMLHttpRequest = null
console.log(XMLHttpRequest)        // null
console.log(window.XMLHttpRequest) // null

So, you might be able to disable individual functions.

However, messing with native functionality like this is a bad idea, since it can have unintended side effects. For example, jQuery uses XMLHttpRequest for it's ajax functions.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Not only are powerful globals unchangeable, you can't mask them effectively and even if you could, that would be security by blacklisting which has historically fared poorly against determined attackers.
1

Caja

The Caja Compiler is a tool for making third party HTML, CSS and JavaScript safe to embed in your website. It enables rich interaction between the embedding page and the embedded applications. Caja uses an object-capability security model to allow for a wide range of flexible security policies, so that your website can effectively control what embedded third party code can do with user data.

ADSafe

JavaScript, the programming language of the web browser, is not a secure language. Any script in a page has intimate access to all of the information and relationships of the page. This makes use of mashups and scripted advertising unacceptably risky.

ADsafe makes it safe to put guest code (such as third party scripted advertising or widgets) on a web page. ADsafe defines a subset of JavaScript that is powerful enough to allow guest code to perform valuable interactions, while at the same time preventing malicious or accidental damage or intrusion. The ADsafe subset can be verified mechanically by tools like JSLint so that no human inspection is necessary to review guest code for safety. The ADsafe subset also enforces good coding practices, increasing the likelihood that guest code will run correctly.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.