jailed
jailed copied to clipboard
asvd
execute untrusted code with custom permissions
I'm sure I'm missing something obvious, but how do I go about passing an object of key / value pairs to the jailed code? For example, if I had something...
I was recently [notified by Github](https://github.com/advisories/GHSA-77m7-9wvw-87fx) regarding [CVE-2022-23923](https://nvd.nist.gov/vuln/detail/CVE-2022-23923). The actual description of the issue is a bit odd so wanted to get clarification on its impact. It is described with:...
Would you be open to adding a Content-Security-Policy to the frame file? My scenario is: 1. A user writes a script that customizes the workflow of a form. 2. These...
Any help would be appreciated! 
Is there any documentation anywhere as to why the Web Worker is launched from inside an iframe, as opposed to just relying on the worker for isolation? I understand defense-in-depth,...
The file [lib/_frame.js](https://github.com/asvd/jailed/blob/4d26cd264b83faab2737905eb33b6536af880519/lib/_frame.js) contains this code: ``` // mixed content warning in Chrome silently skips worker // initialization without exception, handling this with timeout var fallbackTimeout = setTimeout(function() { worker.terminate();...
The sandbox iframe can be navigated to an attacker-controlled URL by another, malicious frame. If the sandbox is sent any user data, it can be captured this way. PoC: https://jsfiddle.net/urv6tx44/2/
How can I write clean code without 'application.remote.'? I don't want write like that: `var code = "application.remote.alert('Hello from the plugin!');";` I need this clean code: `var code = "alert('Hello...
do you know if it's possible to expose values or methods to the jailed plugin? From what I'm understanding you can expose functions that the worker can execute 1 time...
The old way breaks if you load the script using html imports Then the url is pointing at an invalid script.
