Abstract
The same-origin policy isolates web applications from each other based on application origin, but can prevent legitimate data exchange between two web applications with different origins. JavaScript Object Notation with Padding (JSONP) is a workaround for the same-origin policy in which data is inserted into a script file included within another application. However, this approach is vulnerable to malicious or compromised external sources. This disclosure proposes a solution that performs execution of third-party JSONP scripts within a sandbox in order to isolate them and avoid causing harm in case the code contained in the script is malicious. The sandbox is created by the use of sandboxed iframes, message channels, and the srcdoc attribute of iframes. A secure version of a library function is used to initialize a sandbox used by the parent page to execute the JSONP script and send the data back to the parent page over a bidirectional communication channel that permits message exchange.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Recommended Citation
Lekies, Sebastian, "Secure Execution of JSONP Scripts within a Sandbox", Technical Disclosure Commons, (January 11, 2021)
https://www.tdcommons.org/dpubs_series/3952