Sandbox #7
Comments
|
not yet. we probably need it anway to avoid global scope naming collisions when adding hydra (shape / speed for example). on flok.cc, each language runs in an iframe afaik edit: what i mean by global scope naming collisions: when the user code is evaluated, the referenced functions are made available on the window. if 2 languages have overlap, only one language can win, so the other looses that variable |
yes, though (intentionally) not a very sandboxed one. on todepond.cool i make it more restricted as its intended for random strangers to come in (eg: preventing networking), and i manually remove some global functions like |
That's interesting! Maybe Flok should also have those protection mechanisms by default, and in any case maybe add an option for the user to disable them in case they need those features? |
|
looking back at my code, I think I was able to get rid of the injected alert-blocking stuff after setting the right sandbox options: <iframe
sandbox="allow-scripts allow-same-origin allow-forms"
src="https://flok.cc/s/pastagang">
</iframe>the only time it's been a problem is when someone wants to import some external library or something. the things I'm worried about are:
so sandboxing, and moving it to a separate domain worked pretty well for these i think |
|
Fixed with #34! If we add a web-only in flok, eg: munshkr/flok#315, it might be worth doing the same for that |
Is the code run in a sandbox? We should probably do some basic sandboxing like todepond.cool does
The text was updated successfully, but these errors were encountered: