I’m creating a service for creating web tools. The tool is a generated web page with some JS engine. The user can interact with the JS engine through the user interface. The user interface can be either ready-made or custom.

The idea of ​​using a custom user interface is dangerous. This approach creates possible security issues (eg XSS).

Please advise a more efficient solution for the implementation of the HTML playground.



In a HTML playground, you want users to be able to execute arbitrary code, also when visited by others – persistent XSS by design. However, you will want to ensure that the user’s code runs in a different security context from your site’s user interface. You can achieve this by using an iframe:

  • The user-generated content can run on a different Origin than the rest of your site.
    • main site cookies are inaccessible
    • main site can use a restrictive Content Security Policy
    • but you’ll still need the usual XSRF defenses
  • The iframe can declare an appropriate allow="..." feature policy and sandbox="..." attribute.
    • For example, you can disable fullscreen access.

Note that a HTML playground is in many ways indistinguishable from a hosting service. Aside from technical security measures, you will likely also want to think about anti-abuse measures.


Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *