hngopher.com

       [HN Gopher] Show HN: Run unsafe user generated JavaScript in the...
       ___________________________________________________________________
        
       Show HN: Run unsafe user generated JavaScript in the browser
        
       I needed a way to let users write JavaScript to create plugins for
       a site I'm building.  I couldn't find a solution I was happy with,
       so ended up building one that run's it in a web worker on a
       separate domain from your main site.  Hopefully I haven't missed
       anything. If so, please let me know!  My website has an interactive
       demo you can write code in the browser textarea, and see the output
       on the right.  Interactive Demo: https://workerbox.net/  Github:
       https://github.com/markwylde/workerbox
        
       Author : turblety
       Score  : 49 points
       Date   : 2022-11-19 18:25 UTC (4 hours ago)
        
 (HTM) web link (workerbox.net)
 (TXT) w3m dump (workerbox.net)
        
       | rootw0rm wrote:
       | Once upon a time there was a private retro gaming BitTorrent
       | tracker called UG. They had a few browser games, one of which was
       | blackjack. I wrote a greasemonkey script to play blackjack for me
       | unattended, folks were not amused =(
        
       | oso2k wrote:
       | One upon a time, Crockford worked on ADSafe for a similar goal.
       | 
       | https://www.crockford.com/adsafe/
        
       | jitl wrote:
       | If you need to call into user-generated Javascript
       | _synchronously_ or have greater control over the sandbox
       | environment, you can use WebAssembly to run a Javascript
       | interpreter: https://github.com/justjake/quickjs-
       | emscripten#quickjs-emscr...
       | 
       | QuickJS in WebAssembly is much slower than your browser's native
       | Javascript runtime, but possibly faster than async calls using
       | postMessage. As an added bonus, it can make _async functions_ in
       | the host _appear to be synchronous_ inside the sandbox using
       | asyncify: https://github.com/justjake/quickjs-emscripten#async-
       | on-host...
        
         | idealmedtech wrote:
         | I know the industry has moved on to WebAssembly, but I thought
         | it might be worth mentioning that I just recently finished a
         | personal project to compile an arbitrary NodeJS script in
         | QuickJS and call the code from C - all* in a statically or
         | dynamically linked library, no support files.
         | 
         | In case anyone is interested in calling JS from old school
         | C-supported languages, check it out:
         | https://github.com/ijustlovemath/determine-basal-native
         | 
         | It's specific to my application but could easily be reused with
         | a few tweaks.
         | 
         | * Mostly all, the last step is to store the ESM JS script text
         | in an object file and link it in, which I'm still working on.
        
         | laurencerowe wrote:
         | I believe SharedArrayBuffer and Atomics.wait allow the same
         | synchronous access within the worker to async functions in the
         | host. This is the approach used by PartyTown:
         | https://partytown.builder.io/how-does-partytown-work
        
         | m1sta_ wrote:
         | Nobody has benchmarked postMessage vs QuickJS?
        
       | xmonkee wrote:
       | Oh, dude! Genius. I needed something exactly like this. Is there
       | a similar lightweight approach in node land?
       | 
       | Edit: my usecase is a form builder where users can specify fields
       | that have their values computed from other fields. I've had to
       | hobble it by using templating languages for the custom code, or
       | just let them use javascript and be okay with the risk since the
       | users get their own subdomain, so it's kinda like their own
       | website.
        
       | [deleted]
        
       | AshleysBrain wrote:
       | The upcoming JavaScript Shadow Realms proposal looks like it
       | solves a similar problem: https://github.com/tc39/proposal-
       | shadowrealm/blob/main/expla...
        
       | yonixw wrote:
       | Please note a function like `fetch` still works, and might be
       | privacy (and security!) issues in this method.
        
       | arkadiyt wrote:
       | Figma has a great blog post on some different user-generated
       | javascript isolation approaches [1]. They discuss this iframe
       | approach, running a webassembly javascript interpreter (also
       | suggested in these thread comments), and using javascript realms.
       | In the post they originally opted for javascript realms but
       | there's an edit at the top - it seems like they ended up
       | switching to the webassembly javascript interpreter approach.
       | 
       | [1]: https://www.figma.com/blog/how-we-built-the-figma-plugin-
       | sys...
        
       | nubb wrote:
       | open invite for security researchers to test this app?
        
       | spiffytech wrote:
       | What advantages does workerbox have over existing solutions like
       | jailed[1]?
       | 
       | [1] https://github.com/asvd/jailed
        
       | ehhthing wrote:
       | You can achieve the same thing with iframes using the "sandbox"
       | attribute.
        
       ___________________________________________________________________
       (page generated 2022-11-19 23:00 UTC)