I’m creating a service for creating web tools. The tool is a generated web page with some JS engine. The user can interact with the JS engine through the user interface. The user interface can be either ready-made or custom.
The idea of using a custom user interface is dangerous. This approach creates possible security issues (eg XSS).
Please advise a more efficient solution for the implementation of the HTML playground.
1
In a HTML playground, you want users to be able to execute arbitrary code, also when visited by others – persistent XSS by design. However, you will want to ensure that the user’s code runs in a different security context from your site’s user interface. You can achieve this by using an iframe:
- The user-generated content can run on a different Origin than the rest of your site.
- main site cookies are inaccessible
- main site can use a restrictive Content Security Policy
- but you’ll still need the usual XSRF defenses
- The iframe can declare an appropriate
allow="..."feature policy andsandbox="..."attribute.- For example, you can disable fullscreen access.
Note that a HTML playground is in many ways indistinguishable from a hosting service. Aside from technical security measures, you will likely also want to think about anti-abuse measures.
1