该方案能让你的网页安全可控的植入第三方代码,在运行时分配沙箱隔离,被隔离代码在调用"location, top, document.cookie, alert, console, prototype"等时均会被拦截及记录操作行为并返回空值,同时运行器也能对代码设置类操作权限,以控制代码的有效操作。
gitbook: https://shadow-function.gitbook.io
npm install shadow-function --save运行 demo:
$ npm run start在 demo/test.js 下模拟 ISV 代码进行安全测试。
简单的应用:
import { ShadowFunction, ShadowDocument } from 'shadow-function'
new ShadowFunction('console.log(a + b)')({a: 1, b: 2, console}) // 3
let sDoc = new ShadowDocument(document.body, '<div>123</div>')
sDoc(`
document.body.append($template.content);
console.log(document.body.getElementsByTagName("div")[0].innerText)
`)({console})类型鉴权配置:
let shadowFunction
shadowFunction = new ShadowFunction({
Node: [
'nodeName',
'nodeType',
'textContent'
],
Element: [
'style',
'onblur',
'onfocus',
'onscroll',
'offsetWidth',
'offsetHeight',
'clientWidth',
'clientHeight',
'innerText',
'setAttribute',
'removeAttribute',
'createTextNode',
'addEventListener',
'getElementsByTagName'
],
HTMLDivElement: []
})
shadowFunction(`
document.appendChild(document.createElement("div"))
`)({document})原型链限制
new ShadowFunction('console.log(a.prototype)')({console, a: {}}) // undefined
new ShadowFunction('console.log(a.valueOf.__proto__)')({console, a: {}}) // undefined可以使用上面的类鉴权配置开放原型链方法。
执行沙盒节点安全同步
import { ShadowFunction, ShadowDocument } from 'shadow-function'
new ShadowFunction('console.log(a + b)')({a: 1, b: 2, console}) // 3
let shadowDocumentFn = new ShadowDocument(document.body, '<div>123</div>')
shadowDocumentFn(`
document.body.append($template.content);
console.log(document.body.getElementsByTagName("div")[0].innerText)
`)({
console
})import { jsonp } from 'shadow-function'
jsonp({
url: "http://suggest.taobao.com/sug?code=utf-8&q=iphoneX"
}).then((data) => {
console.log("jsonp:", data)
})