Developer
Intros How it works API reference Turbo CSS Blog Simplified .ContentSecurityPolicy rules Sessions Create components from code Send emails to any address Script attribute: crossorigin Script attributes Introducing Turbo UI Named buckets Turbo CSS is Tailwind CSS on steroids Introducing Turbo CSS, the most advanced web-design language Collaboration settings Filesystem and Database are not cutting the problem space right What I'm working on 64bit File node IDs Write your own website builder on top of Boomla On On composition A filesystem to replace your CMS New file link type: scope Inline file wrapping changed Package sandboxing New PHP-like JavaScript engine [sjs-4e] Send emails to the website owner New JavaScript engine [sjs-4] Glossary and other changes Boomla goes multiplayer Using local dev tools Why Boomla doesn't need Git Improved sjs-3 API CSS modules Work offline with Boomla Supporting CommonJS modules  Paranoid about loosing data IDE usability improvements Flow control from user space Contextmenu support for apps Deprecating the .Class file Embedding 3rd party plugins Introducing Tools Installing apps just got amazing Host on our servers Simple deploy with push/pull Version Control for the Web 350M files on a 1TB disk 2 weeks in review
Developer
Intros
How it works
API reference
Turbo CSS
Blog

Package sandboxing

2019-07-23

You will often need to install tools on your website to extend its functionality. The first such tool is typically the IDE, which lets you edit the filesystem of your website. With the IDE, you can list all the files, read all their attributes and file contents. That’s great as long as it is only you reading all that data, but you may not want to allow everyone else to do so.

To prevent this, Boomla introduces package sandboxing: requests that hit a URL within an installed package will be sandboxed to that package, unless the visitor is the website owner.

 

Example scenarios

Using the IDE

The IDE is typically installed at

//example.com/sys/packages/ide.boomla.com

You will go the same address to access the IDE, generally by clicking the IDE link in your toolbar when you are logged in.

In case you are logged in as the website’s owner, the sandbox root will be //example.com, so you (and therefore the IDE) will have full access to the entire website. In this case we could say that no package sandboxing is applied.

Any other visitor, either logged on to the Boomla platform or not, will be sandboxed to the package root:

//example.com/sys/packages/ide.boomla.com

This means that the visitor will have full read access to the entire package tree, but not your website outside the package.

Using a gallery app

Let’s say you install the package gallery.boomla.net which will be mounted at

//example.com/sys/packages/gallery.boomla.net

You create a gallery instance at /gallery and set its type to a gallery app within the package, say:

//example.com/sys/packages/gallery.boomla.net/v2

Your website’s root page will display this gallery.

When a visitor loads your website root at //example.com, the gallery will be rendered by executing the gallery app within the gallery package. It will not be sandboxed to the gallery package, because the request originated outside the sandbox at //example.com.

The behavior will be identical to all visitors whether they are the website owner or an anonymous visitor.

Why

Until now, tools were hosted on external websites and marked as tools on the Control Panel which gave them cross-site access. This has been a temporary solution as it doesn’t scale very well.

While this approach is still available, it is now deprecated and will be removed in the future. Clicking the IDE link in your toolbar now will check if the IDE is already installed on your website. If not, it will take you through a next-next-finish installation flow before landing you in your IDE.

Additional benefits

  • undo/redo is now available in the IDE,

  • you can now copy/paste across your website and the IDE as they use the same clipboard,

  • the New Panel is now available in the IDE as well.


Cheers,

Tibor Halter
Tibor Halter
you can follow me on Twitter
Inline file wrapping changed New PHP-like JavaScript engine [sjs-4e]
Subscribe to the Boomla newsletter!
Platform
Boomla Store Website Builder Changelog Status
Learn
Intros How it works API reference Turbo CSS Glossary
Company
Contact Support About
Get involved
WishList