Javascript Security - Canvas, User Scripts, and Workers?

Started by Heretic86, March 05, 2021, 01:55:39 pm

Previous topic - Next topic

Heretic86

March 05, 2021, 01:55:39 pm Last Edit: March 05, 2021, 03:36:44 pm by Heretic86 Reason: I edited it because I wanted to!
So I have had an idea...

The idea involves allowing logged in users to upload Javascripts that they write.  Their scripts will run on other users browsers.  However, I do not trust the other users to not upload malicious content.  Most probably wont, but some will inevitably try.  Thus, the idea of using a Worker comes into play.  I havent played with Workers but basically a Worker simply contains scripts that are running from the DOM, which is what I am thinking will help protect the other users from scripts with malicious intent.  It seems like it will be fairly secure.  Workers are also restricted on ther XMLHttpRequests which only returns null, so that function is pretty much useless for loading even more scripts.

Basically imagine this.  A canvas running in a webpage.  Canvas does something that is handled by the User Scripts from inside the Worker.  The webpage that also has the Canvas element can also allow a user to Login.  Since the scripts inside the Worker are not allowed access to the DOM, theoretically, the User can login without their keystrokes being recorded by User Scripts.  In theory.  The other side of that is that I want whats inside the Worker to influence what is displayed on the Canvas.  I dont really care if the Canvas has to be in the Worker or main DOM as long as the User Script can generate output on the Canvas to other Users.

Ive been doing some reading on Workers in JS, but dont quite understand it well enough to see how to achieve BOTH access to the DOM element (which may be insecure if the Worker Script is given the Canvas element as calling Parent may allow unintended access to the DOM, where the script can record another users Username and Password.  Scripts can be uploaded by unknown User, and the concept of allowing a User to upload their own scripts and execute them in the browser is the foundation of the idea so I can NOT simply say "dont let users upload scripts".  I would like to have BOTH but in a way that is as secure as I can make it and STILL allow users to create accounts and upload their scripts.  As I understand it, for the DOM to communicate with the Worker, it uses postMessage, and visa versa.  Objects passed to the Worker are COPIES, thus presenting more difficulty.

How do I make an HTML Canvas (maybe from DOM) take data processed in a custom user script in a secure manner where by the rest of the DOM (such as a Login or Session Cookie) is inaccessible to the Worker?

Oh, and to add Insult to Injury, lets throw in some CSP too! CPS is Content Security Policy.
https://content-security-policy.com/

Looks like I am gonna need that, and Im thinking I dont think it will compromise security stuff too much if I load all the JS files from a single page, like js.php?id=1 and set up the CSP to allow my files, and use the js.php for User files?

 Even a VERY basic example would be EXTREMELY helpful.  Does anyone have an idea on how to do this?
Current Scripts:
Heretic's Moving Platforms

Current Demos:
Collection of Art and 100% Compatible Scripts

(Script Demos are all still available in the Collection link above.  I lost some individual demos due to a server crash.)

KK20

Even though I work in cyber security, this isn't exactly my field of expertise (more of a tools engineer). I'm fairly sure I can say the same for anyone else here. You're better off asking at a more dedicated forum than here.

But these sentences alone
QuoteThe idea involves allowing logged in users to upload Javascripts that they write.  Their scripts will run on other users browsers.
are like the biggest red flag I have ever seen in my life.

Other Projects
RPG Maker XP Ace  Upgrade RMXP to RMVXA performance!
XPA Tilemap  Tilemap rewrite with many features, including custom resolution!

Nintendo Switch Friend Code: 8310-1917-5318
Discord: KK20 Tyler#8901

Join the CP Discord Server!

Heretic86

March 06, 2021, 12:12:24 pm #2 Last Edit: March 06, 2021, 12:14:33 pm by Heretic86
Yep.  I am fully aware of that.  Hence the idea of Sandboxing, somehow.  Worker.  Iframe  CSP.  All 3.  Dont really care how.  Uploading and running scripts is the goal or the idea is useless.  Most of the scripts I expect users to run wont be malicious.  However I am certain some jackass will try to run a Porn Installer or Malware or something, and the goal is to let those scripts run but effectively be neutered, no access to DOM, no access to XMLHttpRequest, etc.

I'll ask around.
Current Scripts:
Heretic's Moving Platforms

Current Demos:
Collection of Art and 100% Compatible Scripts

(Script Demos are all still available in the Collection link above.  I lost some individual demos due to a server crash.)