search

endojs / endo

Endo is a distributed secure JavaScript sandbox, based on SES
Apache License 2.0
824 stars 71 forks source link

lockdown WebAPIs? #1140

Closed Jack-Works closed 2 years ago

Jack-Works commented 2 years ago

I wonder if there is any plan to add a new API to lockdown entire Web APIs? I tried the following code and it works sometimes 🤔

const skipHarden = ['globalThis', 'self', 'window', 'Window', '__core-js_shared__'].concat(
    // react-use useLocation
    'history',
    'History',
    // package abort-controller, try to assign AbortSignal onto AbortSignal
    'AbortSignal',
    // react is doing this...
    'console'
)
const skipUnconfigurable = [].concat(
    // hmm... code example for this: appear at least 2 times
    //     this.fetch = false;
    //     this.DOMException = global.DOMException;
    //     }
    //     F.prototype = global;
    //     return new F();
    'fetch',
    'DOMException',
    //   if (!self.fetch) {
    //     self.fetch = fetch;
    //     self.Headers = Headers;
    //     self.Request = Request;
    //     self.Response = Response;
    //   }
    'Headers',
    'Request',
    'Response'
)

const desc = Object.getOwnPropertyDescriptors(self)
Object.entries(desc).forEach(([key, desc]) => {
    if (key.includes('Array') || key.includes('Error')) return
    if (skipUnconfigurable.includes(key)) return
    if (desc.writable) desc.writable = false
    if (desc.configurable) desc.configurable = false

    try {
        if (!skipHarden.includes(key) && desc.value) {
            harden(desc.value)
        }
    } catch (err) {
        console.error(err)
    }
})
Object.defineProperties(globalThis, desc)
kriskowal commented 2 years ago

We certainly won’t do anything with web API’s in Lockdown, but outside of SES, it would be expensive but reasonable to construct “attenuations” of web API’s, on a case-by-case basis. Taming the DOM has been attempted multiple times and proved…expensive. My stance for now is that taming the DOM is not a reasonable objective. Creating a tame virtual DOM for a specific framework is more achievable. Creating bespoke hardened controller API’s for specific interactions with UI is practical in the short term, where UI’s are still largely guarded by same-origin-policy and single-tenancy. UI’s can still communicate with eventual-send to external multi-tenant agents.

kriskowal commented 2 years ago

Closing for tracking purposes, but this is still a good anchor for this conversation.