Is there a way to use jsdom in a robust sandbox?
I am using jsdom
to load web pages using my application Node.js
. Sometimes I don't get the full DOM because some web pages use scripts to dynamically load their content after an event is fired onload
.
jsdom
disables execution of these scripts by default, as this could lead to a security flaw, as stated in their documentation:
The jsdom sandbox is not robust and code running inside the DOM <script> s can, if it tries hard enough, access the Node.js environment and therefore your machine
I was wondering if there is a way to make it reliable with some workarounds? I'm a bit new to development Node.js
and since this is a single threaded environment I'm not sure how to create a secure sandbox.
source to share
NodeJS doesn't have this type of security out of the box. If you run untrusted, third-party code in your Node engine, you will need to use operating system tools to isolate and secure it.
Things you might want to learn:
- Prison use
chroot
. - Using a virtual machine.
- Using a Docker container.
- Using a jailed sandbox (didn't use it myself, but it has a good reputation).
Do some research on these approaches and their limitations, and see what works best for your goal. I think the VM will offer the greatest isolation and the least chance of error, but it has the most overhead. All approaches can be taken to work.
source to share