ShareMyPage 平台在托管用户上传的包含 JavaScript 的 HTML 代码时,不依赖传统的代码清洗技术,而是基于“所有页面均为恶意”的原则构建防御架构 [1]。该平台利用无源沙箱 iframe 和独立的无 Cookie 域名来隔离执行环境,确保即使发生沙箱逃逸,攻击者也无法窃取用户会话或注入恶意内容 [1]。
在技术实现上,ShareMyPage 使用禁止 allow-same-origin 的沙箱 iframe,使页面拥有 null origin,从而阻止其访问用户的 document.cookie 和 localStorage [1]。同时,平台规定 allow-scripts 和 allow-same-origin 属性绝不能同时出现 [1]。内容通过一个独立的、不设置也不读取 Cookie 的域名提供,该域名的运行环境与用户登录会话完全分离 [1]。
此外,ShareMyPage 还采取了多项辅助安全措施:使用短期有效的签名 URL 限制访问权限,严格约束 iframe 嵌套来源,并实施严格的跨站脚本防护(CSP)策略 [1]。
ShareMyPage ensures the safe hosting of user-uploaded HTML containing JavaScript by isolating execution environments rather than relying on code sanitization [1]. The platform operates under a principle that assumes all uploaded pages are malicious, utilizing sandboxed iframes and independent domains without cookies to separate the runtime from user sessions [1]. Specifically, the system employs iframes configured with allow-scripts but explicitly forbidding allow-same-origin, which grants the content a null origin [1]. This configuration prevents access to document.cookie and localStorage, ensuring that even in the event of a sandbox escape, attackers cannot steal user sessions or inject malicious content into other parts of the site [1]. Content is served from an independent domain that neither sets nor reads cookies, maintaining complete separation from user login states . To further restrict access, the platform utilizes short-lived signed URLs and enforces strict Cross-Origin Policy (COP) strategies to limit iframe nesting sources . A critical rule enforced by this architecture dictates that allow-scripts and allow-same-origin must never appear simultaneously in an iframe's permissions list .