Published 17 years 2 months ago • Last updated March 22, 2025 • ⏱️ < 1 min read
I think I've managed to create a good sandboxing system using same origin policy. The only downside is that it uses new windows to prevent top.location assignments. It works by injecting code into another domain (sandbox.businessinfo.co.uk) and executing the code in the context of that domain and returning the result of the code in the location.hash and returning it to the original domain.
As SOP is used the sandbox shouldn't be able to be bypassed without a browser exploit, sure you could change the window reference but the result would always be a string. The domain sandbox.businessinfo.co.uk is vulnerable though as it allows you to execute code, maybe using referrer checking this could be minimized which I may add in future.
So the question is can you beat it? By injecting code in the sandbox that will control the parent. For example it was vulnerable to modifying the parent location by passing "top.location=1" this has now been closed.
I found and fixed an exploit myself. Using opener.location=1, it was possible to control the parent location. I've closed this by removing the opener from the sandbox.