This repository has been archived by the owner on Oct 2, 2018. It is now read-only.
[Strategize] Isolation of security-related code #210
Comments
|
Out of curiosity, what security benefits would this have? The editor is already placed in an iframe. |
|
The idea was reducing attack surface, mainly. |
|
I don't think this is really a feasible option, it's good practice, for example, I know google chrome does it with webpages. The only problem, however, is that the security restraints available are not specific enough to make sandboxing useful beyond just one level of security. Sandboxing a frame inside a sandboxed frame will not give us anything useful. And as for sandboxing the UI, I can't think of any use for this, there is no risk that I know of which could harm the user other than from documents opened in the program, and we already do what we can to sandbox that. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Spin-off from #208.
For security, it may make sense to put the UI itself in a sandboxed iframe, and let the top frame handle communication between modules.
Only problem is, if the modules are inside the UI, I don't know of a way to communicate safely between the top frame and a module without the UI having the same capabilities as the modules.
The text was updated successfully, but these errors were encountered: