Allows relatively secure execution of JavaScript code in a browser context.
Basically you just import the secureEval
function, pass it some code as a string, and await the result.
secureEval
returns a promise with the result of what you window.parent.postMessage
:
import { secureEval } from 'secure-eval';
const dangerousCode = `
const dangerousValue = 5;
window.parent.postMessage({
type: 'secure-eval-iframe-result',
dangerousValue
}, '*');
`;
executeDangerousUserCode(dangerousCode);
async function executeDangerousUserCode(code) {
const result = await secureEval(code);
console.log(result.dangerousValue);
}
An HTML string with the JavaScript code string embedded in a script tag of type module is sent to an ephemeral iframe through the src attribute. The iframe's sandbox attribute is set to allow-scripts
and the style attribute is set to display:none
. The code has no access to the DOM, cookies, local storage, session storage, or anything else really of the document the iframe is in. In my opinion, and after a few years of light research, this is extremely secure.
Infinite loops are still possible. From my research, there is not currently a way to mitigate them.
interface SecureEvalResult {
type: 'secure-eval-iframe-result';
[key: string]: any;
}
function secureEval(code: string): Promise<SecureEvalResult>
The secureEval
function takes the code to eval as a string and returns a promise with the result.