quarantiner v0.1.0-alpha.8

Quarantiner

EXPERIMENTAL Isolates scripts that may modify prototypes by running them inside an <iframe> realm.

What is it?

This is not a security-focused sandbox. It is expected (for now) that a script will be able to escape the sandbox if intentional.

The main purpose of this sandbox is to provide a lightweight isolated script environment (realm) so that incompatible or badly-behaving scripts that modify global objects or global prototypes can be isolated enough from each other to function together.

Recommended usage

It is recommended that you use this alongside a bundler, e.g. via the Rollup plugin rollup-plugin-sandbox.

Alternative usage (if requiring directly)

$ npm i quarantiner

Global API

A global object quarantiner will be installed, which is actually defined by the UMD build for this library.

Methods of the quarantiner global:

• quarantiner.quarantine(...):

  quarantiner.quarantine(
      wrapper: WrapperFunction,
      config: ConfigOptions = { globals: {}, sandbox: 'default' }
  ): Promise<void>

  • wrapper: a function that defines a script to be executed inside the sandbox realm.
  • config: an optional configuration object:
    • config.globals: globals that are expected to be defined by the script, that should then be defined as globals on the main window/global object. Example: { myGlobal: { type: 'function' } }
    • config.sandbox: name of the sandbox to execute the script inside. any scripts that specify the same sandbox name will be run inside the same sandbox.

• quarantiner.getSandbox(name: string = 'default'): Promise<Sandbox>: Allows fetching the Sandbox instance for a declared sandbox.

See also

• rollup-plugin-sandbox, a Rollup plugin which uses this library.