How ShareMyPage Safely Runs User-Uploaded JavaScript
ShareMyPage isolates uploaded HTML and JavaScript in a null-origin sandbox on a cookieless domain, blocking XSS and session hijacking without sanitizing code.
ShareMyPage runs whatever HTML users upload, including JavaScript often generated by AI and never manually reviewed, without stripping or sanitizing it first. Instead of chasing every dangerous construct in an arms race it would eventually lose, the team assumes every page is hostile and builds an architecture where that assumption simply doesn't matter.
The core mechanism is running each shared page inside a sandboxed iframe that deliberately omits allow-same-origin. That single omission gives the framed document a null origin: scripts still execute, but document.cookie returns empty, localStorage is unreachable, and the page cannot touch its parent. Never combining allow-scripts with allow-same-origin is the one rule the whole system depends on.
A second, independent layer serves the content from a separate, cookieless origin via short-lived signed URLs, entirely apart from the app users log into. So even in a hypothetical sandbox escape, there's no session cookie or token to steal. Together, the null-origin sandbox and the cookieless origin make classic XSS injection and JavaScript-based session hijacking structurally impossible, backed by further layers like signed URLs, a strict content security policy, server-side authorization, and encrypted private storage.
The team is explicit about what this doesn't solve: isolation protects against the code, not the author's intentions. A public link can still host misleading content, which is a moderation issue rather than a same-origin one, and users retain control over exactly who can view each page.