request: provide sandboxed execution environment for template engines and data transformation

[twschiller]

Context/Background

Template engines (e.g., Mustache, Handlebars, Nunjucks, jq) are valuable for providing end-user customization without code.

However, template engines pose a security risk when used with user-defined templates (e.g., XSS and prototype pollution)

Request

• Provide a non-privileged sandbox execution environment for evaluating template/transform engines
• Communicate with the sandbox via message passing

Design Considerations

• If focused on template engines and data transforms, access to the DOM API may not be necessary
• Service Worker API likely sufficient

Prior Art:

• Chrome MV2 sandbox: https://developer.chrome.com/docs/extensions/mv2/manifest/sandbox/
• Chrome MV3 sandbox: https://developer.chrome.com/docs/extensions/mv3/manifest/sandbox/
• Firefox user_scripts: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/user_scripts

Related Information:

• https://developer.chrome.com/docs/extensions/mv3/sandboxingEval/
• https://github.com/mozilla/nunjucks-docs/issues/17

[Jack-Works]

I'd like to use SES (Secure ECMAScript) for this job. An implementation here https://github.com/endojs/endo/tree/master/packages/ses but it requires eval which is banned in the manifest V3

[kumavis]

I'd like to use LavaMoat (based on SES) to help limit risk of supplychain attacks

[Jack-Works]

I'd like to use LavaMoat (based on SES) to help limit risk of supplychain attacks

I like it too, but I'm worried about eval will be restricted (which is required to implement SES for now) on manifest V3. I don't know if we can have things like Trusted Types to make SES work with strict CSP.