I have a very simple question, with maybe a less simple answer:
I want to construct an html file, including css and javascript. Parts of the code could come from external users, and prevent it from having any network access whatsoever. This means: no AJAX calls using javascript, no programatic redirects, but even no <img> tags with src= or <a> tags with href=.
- Content Security Policy almost seemed to do the job, but a plain old hyperlink like
<a href="https://evil.com/someUserData">click me</a>still seems to work. - Google Caja seems to be doing the job, but I want to understand completely how this works and I'm new to Java.
So, my questions are:
- Is there any way this sandbox functionality can be accomplished with CSP?
- Is Google Caja (using uriPolicy) a secure way of preventing any home-phoning from hackers?
- Any other tips & tricks?