Console demo allows XMLHttpRequests to CORS-enabled servers

[maxrothman]

The console demo already monkey-patches over things like navigator and console, but not XMLHttpRequests. With the advent of CORS, this means sandboxed code can make requests to out-of-domain servers. For example:

x = new XMLHttpRequest(); x.open('GET', 'https://cors-test.appspot.com/test', false); x.send(); x.response;
> {"status": "ok"}

While the sandbox doesn't have access to any user data (as far as I can tell), it could allow an attacker to essentially create a botnet if sandboxed user code was shared with other users. Since the demo serves as an example of what to monkey-patch over in a plugin, XMLHttpRequest should be added to the list.

[asvd]

"Monkey-patching" is not about security, I added it to prevent confusing a user of the console: the worker scope is not actually related to the purposes of the demo. See: https://github.com/asvd/jailed/issues/1

Jailed reuses a sandboxed iframe and relies on it in questions of security, just providing more convenient API for invocation of a code of an opposite site (comparing to sending and handling messages):

https://github.com/asvd/jailed#in-a-web-browser

Therefore the opportunity to create a botnet in the way you described is not prevented by the browser, and is probably a subject to be reported to the browsers' developers.

Please let me know if you think that the issue should be handled by the Jailed somehow (I can hardly imagine if this can be done without the browser feature).