Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How safe is this interpreter? #64

Closed
cosbgn opened this issue Sep 11, 2020 · 1 comment
Closed

How safe is this interpreter? #64

cosbgn opened this issue Sep 11, 2020 · 1 comment

Comments

@cosbgn
Copy link

cosbgn commented Sep 11, 2020

I need to run some external code on my app. I'm mostly concerned that this external code can access localstorage and cookies. Can the interpreter do that? Is there a way to disable certain APIs like localstorage, eval etc?
Thank you!
@Siubaak
Copy link
Owner

Siubaak commented Nov 8, 2020

Sval isn't a safe choice.

Of course you can disable certain global APIs by just overwriting it using import, for example, interpreter.import('localStorage', false).

However, external scripts can hack the prototype chain to "steal" the original one from host environment. It's nearly impossible to protest the prototype chain and also Sval has no protections on original prototype at all.

@Siubaak Siubaak closed this as completed Nov 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cosbgn @Siubaak