Subj : Rhino security cookbook for untrusted javascript?
To   : netscape.public.mozilla.jseng
From : jan grant
Date : Thu Apr 28 2005 09:55 am

[Would appreciate a CC: as well as newsgroup followup - cheers]

Hullo. I've got an application that runs under an external security manager
already (it's a webapp).

The app has its own internal security model: most operations take a user object
as a parameter and utilise the capabilities of that to determine if actions are
permissable. So far, pretty straight-forward.

However, what I'd like to do is get the app to the point where external users
can upload and execute scripts (written in javascript, natch). In consequence,
these scripts are effectively untrusted and I need very careful control over
the objects and interfaces they can access.

Assuming for the moment that the objects I expose to the javascript code are
"smart enough" and well-written enough so that calling them via their main
interfaces doesn't pose a problem in and of itself...

.... what I'd like to know is, what else is there that I need to worry about? In
particular, I'm concerned about javascript getting hold of class objects, or
classloaders, and accessing singletons that way; of using Class.forName and
newInstance() to create objects I wasn't anticipating; of using reflection to
access objects or methods that I wasn't anticipating. And so on and so forth.

I've yet to find a "cookbook" that details these kinds of considerations.

I'd appreciate any feedback on this subject.

Many thanks!

.