Examples Templates Store Pricing Docs Turbo CSS Blog Introducing Turbo UI Named buckets Turbo CSS is Tailwind CSS on steroids Introducing Turbo CSS, the most advanced web-design language Calculate how much storage you use Better login system Collaboration settings Filesystem and Database are not cutting the problem space right What I'm working on 64bit File node IDs New how-to videos Creating buttons gets easier Introducing reusable components HTTPS by default Introducing the Boomla Theme CDN for faster pageloads Write your own website builder on top of Boomla On On composition Shared admin access A fresh config editor Building a multi-purpose theme A filesystem to replace your CMS New file link type: scope Mobile editing support Inline file wrapping changed Package sandboxing New PHP-like JavaScript engine [sjs-4e] Send emails to the website owner New JavaScript engine [sjs-4] A better editing experience New email service provider Glossary and other changes New panel changes Improved registration flow Boomla goes multiplayer Using local dev tools Why Boomla doesn't need Git File Panel Let's build a community Automatic updates Improved sjs-3 API New Frontend CSS modules Work offline with Boomla Faster page loads via caching Drag & drop supercharged Supporting CommonJS modules  Paranoid about loosing data IDE usability improvements Simple App install flow Meetups in Budapest Goodbye broken links Flow control from user space Customizing apps Contextmenu support for apps Deprecating the .Class file Hello Changelog Embedding 3rd party plugins Introducing Tools Installing apps just got amazing Public beta Host on our servers Simple deploy with push/pull Version Control for the Web 350M files on a 1TB disk 2 weeks in review
Control Panel

Package sandboxing

2019-07-23

You will often need to install tools on your website to extend its functionality. The first such tool is typically the IDE, which lets you edit the filesystem of your website. With the IDE, you can list all the files, read all their attributes and file contents. That’s great as long as it is only you reading all that data, but you may not want to allow everyone else to do so.

To prevent this, Boomla introduces package sandboxing: requests that hit a URL within an installed package will be sandboxed to that package, unless the visitor is the website owner.

 

Example scenarios

Using the IDE

The IDE is typically installed at

//example.com/sys/packages/ide.boomla.com

You will go the same address to access the IDE, generally by clicking the IDE link in your toolbar when you are logged in.

In case you are logged in as the website’s owner, the sandbox root will be //example.com, so you (and therefore the IDE) will have full access to the entire website. In this case we could say that no package sandboxing is applied.

Any other visitor, either logged on to the Boomla platform or not, will be sandboxed to the package root:

//example.com/sys/packages/ide.boomla.com

This means that the visitor will have full read access to the entire package tree, but not your website outside the package.

Using a gallery app

Let’s say you install the package gallery.boomla.net which will be mounted at

//example.com/sys/packages/gallery.boomla.net

You create a gallery instance at /gallery and set its type to a gallery app within the package, say:

//example.com/sys/packages/gallery.boomla.net/v2

Your website’s root page will display this gallery.

When a visitor loads your website root at //example.com, the gallery will be rendered by executing the gallery app within the gallery package. It will not be sandboxed to the gallery package, because the request originated outside the sandbox at //example.com.

The behavior will be identical to all visitors whether they are the website owner or an anonymous visitor.

Why

Until now, tools were hosted on external websites and marked as tools on the Control Panel which gave them cross-site access. This has been a temporary solution as it doesn’t scale very well.

While this approach is still available, it is now deprecated and will be removed in the future. Clicking the IDE link in your toolbar now will check if the IDE is already installed on your website. If not, it will take you through a next-next-finish installation flow before landing you in your IDE.

Additional benefits

  • undo/redo is now available in the IDE,

  • you can now copy/paste across your website and the IDE as they use the same clipboard,

  • the New Panel is now available in the IDE as well.


Cheers,

you can follow me on Twitter