for example CodePen and Khan Academy programming projects. they let their users upload js scripts that will run on other computers, codepen even lets users with pro account use 3rd libraries. I want to do the same thing on my site, how dangerous is this ? how to minimise risks ?

CodePudding user response：

It's relatively quite safe if you implement proper sandboxing.

The one thing you want to avoid is letting user code run at the top level of other users' browsers, because if you permit that, all data the other user has on the website could be retrieved, logged, and stolen, among other things. But if you make sure the user code runs not on the top level, but inside a sandboxed iframe (one that can't make the top window run anything), it'll probably be fine.

See this question on Meta Stack Overflow for a similar discussion of the issue. The sites you mentioned, and other sites that implement live code editors from users like Stack Overflow and JSFiddle and many more all use this technique of running users' code inside a sandboxed iframe, so that code that runs can't reach the top level window, whose data must be kept safe. The iframe should also use a different origin (if any) from the parent site - modern browsers have naturally implemented pretty strict restrictions for cross-site communication precisely for this sort of reason (so that an iframe from one origin can do very little to a parent window on another origin, unless the parent window is specifically set up such things).

I say that a sandboxed iframe is pretty safe but not absolutely safe because it's not impossible that something like Spectre could eventually be exploited in front-end JavaScript to do something truly productively malicious. I don't think it's been seen in the wild yet, and it might never be, but it's not impossible.