Say I have a page on example.com . This page contains an iframe showing sandbox.example.com .
--------------------------- | example.com | | ----------------------- | | | sandbox.example.com | | | | (<canvas> + js) | | | ----------------------- | ---------------------------
The sandbox will execute scripts that can be potentially dangerous. The sandbox will be a combination of my own JavaScript running alongside untrusted JavaScript code from other sources.
I would publish much less routes of my applications to sandbox.example.com , so the same origin policy should prevent access to any sensitive data or actions. Things like session cookie theft and authenticated ajax password-changing requests are the types of problems I'm trying to avoid.
The idea is that the extensible rendering mechanism provided by the multiplier, which is expanded by code from others, all of them turn into single-page rendering in one canvas.
So will it be considered safe? If you log into example.com and run an iframe on sandbox.example.com with unreliable JS execution inside it, do you risk any kind of attack?
Is the subdomain adequate? Or would it be safe if it were a completely different domain?
source share