Fence – safer embed sandbox

Fence provides a safer way to embed custom code on a website.

Embedding third-party HTML onto a website can endanger the stability
of a page, e.g. by calling destructive web APIs (document.write) or
triggering JavaScript errors. They sometimes expect to be present in
the page on load in order to load scripts synchronously, though you
may want to inject them dynamically.

This library provides a safer abstraction to wrap custom code and
render it on demand.

Fence uses </code> as sandboxing mechanism, through the <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-srcdoc" class="text-primary hover:underline" target="_blank" rel="noopener noreferrer">srcdoc</a> attribute (polyfilled for older browsers).Note that fence does not improve security (the sandboxed code still runs on the same origin), only the reliability of the embedded content. <h2 class="text-xl font-semibold mt-5 mb-3">Usage</h2>The fence library is distributed as an AMD module, so make sure you are using an AMD loader, for instance <a href="http://requirejs.org/" class="text-primary hover:underline" target="_blank" rel="noopener noreferrer">RequireJS</a>, and use it to load in the library:``<code class="bg-muted px-1 py-0.5 rounded text-sm font-mono">javascript require(['fence'], function(fence) { // use fence as per the instructions below... }); </code>`<code class="bg-muted px-1 py-0.5 rounded text-sm font-mono">To wrap any HTML code into a fenced iframe, pass it to the </code>wrap<code class="bg-muted px-1 py-0.5 rounded text-sm font-mono"> function:</code>`<code class="bg-muted px-1 py-0.5 rounded text-sm font-mono">javascript var iframe = '<script src="http://example.com/script.js"></script>'; var embedHtml = fence.wrap(iframe);// you can then add it to your page, e.g. someContainer.innerHTML = embedHtml; </code>`<code class="bg-muted px-1 py-0.5 rounded text-sm font-mono">Note that the code will only be wrapped if it is unsafe (i.e. risks of destructive or averse side-effects). If it is safe (e.g. it's already an iframe), it will just be returned as-is.If you just want to check if some HTML is safe to embed, use </code>isSafeCode<code class="bg-muted px-1 py-0.5 rounded text-sm font-mono">:</code>`<code class="bg-muted px-1 py-0.5 rounded text-sm font-mono">javascript var iframe = '<iframe src="http://example.com/iframe">'; fence.isSafeCode(); // => true

var iframe = ''; fence.isSafeCode(); // => false`

Once you have a fenced iframe in your page, you can render it by passing its DOM node or id to therender function:

`javascript // Render using a reference to the node var node = document.querySelector('.content iframe.fenced'); fence.render(node);

// ... or just by id, assuming you have: // fence.render('some-fenced-iframe');`

If you just want to render all fenced iframes on the page, you can simply call:

`javascript fence.renderAll();`

`Installation`

The easiest way to install fence to use in your web application is through NPM:

`$ npm install @guardian/fence`

Then simply point your AMD config to the fence.js file and you're ready to go!

`Examples`

To try the examples locally, simply run:

`$ npm install $ grunt connect``

Then open http://localhost:9001/examples/ in your browser.

FAQ

$3

Yes it does. It was developed for and is being used on
the Guardian website.

$3

Fence has been tested on the following browsers:

* Firefox
* Chrome
* IE (9+)

Fence – safer embed sandbox

Fence provides a safer way to embed custom code on a website.

This library provides a safer abstraction to wrap custom code and
render it on demand.

Fence uses

</code> as sandboxing mechanism, through the<br /><a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-srcdoc" class="text-primary hover:underline" target="_blank" rel="noopener noreferrer">srcdoc</a><br />attribute (polyfilled for older browsers).</p><p class="my-3">Note that fence does not improve security (the sandboxed code still<br />runs on the same origin), only the reliability of the embedded<br />content.</p><p class="my-3"><br /><h2 class="text-xl font-semibold mt-5 mb-3">Usage</h2></p><p class="my-3">The fence library is distributed as an AMD module, so make sure you<br />are using an AMD loader, for instance<br /><a href="http://requirejs.org/" class="text-primary hover:underline" target="_blank" rel="noopener noreferrer">RequireJS</a>, and use it to load in the library:</p><p class="my-3">``<code class="bg-muted px-1 py-0.5 rounded text-sm font-mono">javascript<br />require(['fence'], function(fence) {<br />  // use fence as per the instructions below...<br />});<br /></code>`<code class="bg-muted px-1 py-0.5 rounded text-sm font-mono"></p><p class="my-3">To wrap any HTML code into a fenced iframe, pass it to the </code>wrap<code class="bg-muted px-1 py-0.5 rounded text-sm font-mono"><br />function:</p><p class="my-3"></code>`<code class="bg-muted px-1 py-0.5 rounded text-sm font-mono">javascript<br />var iframe = '<script src="http://example.com/script.js"></script>';<br />var embedHtml = fence.wrap(iframe);</p><p class="my-3">// you can then add it to your page, e.g.<br />someContainer.innerHTML = embedHtml;<br /></code>`<code class="bg-muted px-1 py-0.5 rounded text-sm font-mono"></p><p class="my-3">Note that the code will only be wrapped if it is unsafe (i.e. risks of<br />destructive or averse side-effects).  If it is safe (e.g. it's already<br />an iframe), it will just be returned as-is.</p><p class="my-3">If you just want to check if some HTML is safe to embed, use<br /></code>isSafeCode<code class="bg-muted px-1 py-0.5 rounded text-sm font-mono">:</p><p class="my-3"></code>`<code class="bg-muted px-1 py-0.5 rounded text-sm font-mono">javascript<br />var iframe = '<iframe src="http://example.com/iframe">';
fence.isSafeCode(); // => true

var iframe = '';
fence.isSafeCode(); // => false

Once you have a fenced iframe in your page, you can render it by
passing its DOM node or id to the

render function:

javascript
// Render using a reference to the node
var node = document.querySelector('.content iframe.fenced');
fence.render(node);

// ... or just by id, assuming you have:
//  
fence.render('some-fenced-iframe');

If you just want to render all fenced iframes on the page, you can
simply call:

javascript
fence.renderAll();