I recently created a small website where users can sign-in (session is stored as a cookie with the flag HttpOnly). Users can create and upload their own files and share some of them with their friends/colleagues or even make them completely public.
The issue I have is that these files can be HTML files that run their own custom JavaScript (and I would like to keep supporting this feature, i.e. allow them to have custom JavaScript).
But of course, since all of this is happening from the same domain there is no CORS to protect the user. This means it's possible to have a malicious user create a page with custom JavaScript that will fetch all the other files for the user that views this page (including private ones). And send these files to the malicious user. Additionally the custom JavaScript could also fetch other private information for that user from other endpoints.
Does anyone have any ideas of a good way to deal with this security risk (while still keeping the feature of allowing users to have their own HTML pages with custom JavaScript)?