Nerds Publishing Monstrosities

    @guardian/fence

    0.2.13 • Public • Published

    Fence – safer embed sandbox

    Fence provides a safer way to embed custom code on a website.

    Embedding third-party HTML onto a website can endanger the stability of a page, e.g. by calling destructive web APIs (document.write) or triggering JavaScript errors. They sometimes expect to be present in the page on load in order to load scripts synchronously, though you may want to inject them dynamically.

    This library provides a safer abstraction to wrap custom code and render it on demand.

    Fence uses <iframe> as sandboxing mechanism, through the srcdoc attribute (polyfilled for older browsers).

    Note that fence does not improve security (the sandboxed code still runs on the same origin), only the reliability of the embedded content.

    Usage

    The fence library is distributed as an AMD module, so make sure you are using an AMD loader, for instance RequireJS, and use it to load in the library:

    require(['fence'], function(fence) {
      // use fence as per the instructions below...
    });

    To wrap any HTML code into a fenced iframe, pass it to the wrap function:

    var iframe = '<script src="http://example.com/script.js"></script>';
    var embedHtml = fence.wrap(iframe);
    
    // you can then add it to your page, e.g.
    someContainer.innerHTML = embedHtml;

    Note that the code will only be wrapped if it is unsafe (i.e. risks of destructive or averse side-effects). If it is safe (e.g. it's already an iframe), it will just be returned as-is.

    If you just want to check if some HTML is safe to embed, use isSafeCode:

    var iframe = '<iframe src="http://example.com/iframe"></iframe>';
    fence.isSafeCode(); // => true
    
    var iframe = '<script src="http://example.com/script.js"></script>';
    fence.isSafeCode(); // => false

    Once you have a fenced iframe in your page, you can render it by passing its DOM node or id to the render function:

    // Render using a reference to the node
    var node = document.querySelector('.content iframe.fenced');
    fence.render(node);
    
    // ... or just by id, assuming you have:
    //  <iframe id="some-fenced-iframe" class="fenced" srcdoc="..."></iframe>
    fence.render('some-fenced-iframe');

    If you just want to render all fenced iframes on the page, you can simply call:

    fence.renderAll();

    Installation

    The easiest way to install fence to use in your web application is through NPM:

    $ npm install @guardian/fence
    

    Then simply point your AMD config to the fence.js file and you're ready to go!

    Examples

    To try the examples locally, simply run:

    $ npm install
    $ grunt connect
    

    Then open http://localhost:9001/examples/ in your browser.

    FAQ

    Does it actually work?

    Yes it does. It was developed for and is being used on the Guardian website.

    What is the browser support

    Fence has been tested on the following browsers:

    • Firefox
    • Chrome
    • IE (9+)

    Keywords

    Install

    npm i @guardian/fence

    DownloadsWeekly Downloads

    166

    Version

    0.2.13

    License

    Apache

    Unpacked Size

    21.5 kB

    Total Files

    5

    Last publish

    Collaborators

    • pete_f
    • adamnfish
    • novembertang
    • ab-gnm
    • yusuf.faraji
    • joecowton1
    • alinaboghiu.g
    • robertkenny_gu
    • jamesgorrie
    • oliverlloyd
    • arelra
    • marjank
    • jamieb-gu
    • zekehg
    • rtyley
    • dlawes
    • ghaberis
    • jsherbert
    • david.furey.gu
    • guardian-developers
    • simonadcock-gu
    • akash1810
    • reetta
    • ajwl
    • tomrf1
    • mchv
    • itsibitzi
    • justinpinner
    • jranks123
    • nicl
    • philmcmahon
    • tjmw
    • thaliasilver
    • sndrs
    • sam.hession
    • jfsoul
    • 0x101
    • frankie_hammond
    • aoifemcl15
    • mxdvl
    • rhysmills
    • jacobwinch
    • annabeddow
    • michaelclapham_gnm
    • olly.namey.guardian