what actually is sandboxing in JavaScript?

I understand the term sandbox. But my limited skills in JS is unable to help me understand what is sandb开发者_如何学Pythonoxing in JS. So, what actually is sandboxing? Apart from security, why do we need to sandbox JS?

the javascript sandbox does exactly what you've said. It limits the scope of what a script can do. There are also benefits in terms of virtualising the resources the script can call on. This allows the sandbox host to marshal those resources for better performance and say, stop an endlessly looping script bringing the whole browser crashing down.

Sandboxing is the act of creating a scope in which no other part of the application can operate (unless given an opportunity to). More specifically, this is usually a function scope that exposes a limited subset of what's actually going on within it.

One library that's founded on the idea of sandboxes is YUI3. The basic unit of the application is a YUI instance sandbox:

var Y = YUI(); // creates a configurable YUI instance

// Creates a sandbox for one part of your application,
// including the 'node' module.
Y.use('node', function(Z) {
    // Z is a YUI instance that's specific to this sandbox.
    // Operations inside it are protected from outside code
    // unless exposed explicitly. Any modules you request in
    // use statement will be separately instanced just for
    // this sandbox (in this case, the 'node' module)
    //
    // That way, if another part of your application decides
    // to delete Z.Node (or worse, replace it with a
    // malicious proxy of Z.Node) the code you've written
    // here won't be affected.
});

The advantages of sandboxes are primarily to reduce application complexity: since sandboxes are immutable, they're much easier to reason about and verify. They also improve runtime security, since a well-designed sandbox should be able to operate as a black box to other scripts running on the page. It does not prevent against all possible attacks, but it protects against many of the simple ones.

Sandboxing creates a limited scope for the script to use. Assuming you're coding for a website, t's worth sandboxing to avoid making edits to a live site when you are uncertain about whether they will work exactly as you expect - and it's impossible to be truly certain without testing. Even if it works properly, if there's a chance of you making a series of alterations to the JS until you've got it tweaked the way you like, you could easily disrupt anyone attempting to use the site while you're updating it.

It's also much easier to tell what's broken when you break things, because of the limited nature of the sandbox.