I'm considering allowing users to submit JavaScript files that can be executed in the browser of other users. I know this raises a lot of security concerns, but I've seen other sites do this. How do they manage security effectively? What should I be cautious of? Are there any libraries or services available that help to scan uploaded files for potential threats before they're accepted?
2 Answers
If you're allowing users to run uploaded JavaScript on others' machines, that could lead to major security issues. It sounds risky to me. You might want to check out the JSTinker project on GitHub; it's an open-source JSFiddle clone that might be relevant to your needs.
To start tackling security, think about implementing domain sandboxing and utilizing CORS (Cross-Origin Resource Sharing). These are fundamental ways to create a safer environment for file uploads and script execution.
Thanks, I'll look into those topics!
And mine! That's why I want to know opinions about it. Yes, the idea is that you submit a file with some JS on it, then other users can browse those files and run the JS. Well, it sounds even worse now! 🙂 I'll check that link, thanks! I've used JSFiddle before and that's one of the sites I knew you could do something similar.