
Ask HN: Web Workers to Run User Code in Browser - martin_drapeau
So I built Data Janitor (https:&#x2F;&#x2F;www.csvjson.com&#x2F;datajanitor) a tool to allow users to clean and transform tabular data in the browser running their own JavaScript function. I use Web Workers to isolate the code for security and performance purposes (the user can press Stop to halt the worker).<p>With regards to security, is this a good idea? What can I do to further bullet proof this concept. I really want the code to run on the user&#x27;s computer - not server-side. For efficiency and privacy reasons.<p>Worker JavaScript is here: https:&#x2F;&#x2F;github.com&#x2F;martindrapeau&#x2F;csvjson-app&#x2F;blob&#x2F;master&#x2F;js&#x2F;src&#x2F;sandbox.js
It is called here: https:&#x2F;&#x2F;github.com&#x2F;martindrapeau&#x2F;csvjson-app&#x2F;blob&#x2F;master&#x2F;js&#x2F;src&#x2F;datajanitor-code.js#L100
======
billconan
I'm also developing a website that allows users to run their own code.

I have done some investigation on this topic, initially I did something
similar to yours, run code in a webworker. But because I want the users to
render graphics, webworker is very limited (offscreencanvas) and doesn't
support mobile well.

[https://stackoverflow.com/questions/5044608/javascript-
sandb...](https://stackoverflow.com/questions/5044608/javascript-sandbox)

both google and facebook have developed some kind of sandbox for javascript. I
briefly checked the google thing, I didn't like it, because it put limitations
on the javascript users can write. it also needs a compiler server, which adds
complexity to my backend.

my current choice is similar to that of jsfiddle, codepen and
observablehq.com, I let users to run code in a sandboxed iframe. I have some
restrictions on the iframe and the iframe is served with a different domain,
so it is isolated from my main site.

[https://stackoverflow.com/questions/8004001/how-does-
jsfiddl...](https://stackoverflow.com/questions/8004001/how-does-jsfiddle-
allow-and-execute-user-defined-javascript-without-being-danger)

~~~
martin_drapeau
Yes, it seems a sandboxed iframe can offer an extra layer of security
preventing XHR calls for instance.

In my case I do not want user code to gain access to the DOM.

Wondering if anyone's wrapped a worker inside an iframe to offer that extra
security.

~~~
billconan
yes, I used iframe + worker at the beginning. I gave up worker for the above
reason. I also don't want users to change dom actually.

