I want the web to be more end-user programmable. Web apps big and small should offer plugin extension mechanisms! Ideally plug-ins are frictionless to author, and powerful enough to build fun UIs. Today, only really big premier apps like Figma and Google Docs have this kind of feature.
One problem is that it’s very difficult for an app to run arbitrary, untrusted user code in a way that’s secure and efficient, especially in the browser. Apps need to worry about XSS and unintended remote code execution, much less try adding those things as a feature.
I started working on a Typescript/WebAssembly library around the QuickJS JavaScript runtime to address this need. QuickJS runs modern ES2020 and provides an API for the host process to set CPU and memory budgets for the execution environment, which is completely sandboxed. My work so far exposes a basic interface to create VMs, expose APIs from the host to the guest, and evaluate code.
- Make the library importable as ES modules on the web without a Webpack build step.
- Design higher-level but still security-conscious APIs for building plugin systems on top of the existing library.
- Expose more QuickJS C APIs to library users.
- Performance or ergonomic improvements.
If you share any of these goals or would like to help out, please drop me a line on GitHub (eg by opening an issue), or via any of the links on my HN profile.
Very cool. I'm following a similar goal but interacting with services via their existing APIs[0]. Just making that way way easier. QuickJS is such an awesome creation.
It's your goal for applications to adopt your library as a generic extension mechanism? I really like this idea.
Wow, there's been a bunch of public work in this space since I started! I was aware of the Agoric Realms work that preceded SES, but haven't kept up with their progress. I looked over some of the current SES/Realms code, and didn't (quickly) find anything that can limit CPU or memory consumption of the untrusted code in the browser. I decided to base my efforts on QuickJS/WebAssembly because there's much less inherent risk and a greater guaranteed deal of control compared to any solution that shares a GC heap with the untrusted code.
One problem is that it’s very difficult for an app to run arbitrary, untrusted user code in a way that’s secure and efficient, especially in the browser. Apps need to worry about XSS and unintended remote code execution, much less try adding those things as a feature.
I started working on a Typescript/WebAssembly library around the QuickJS JavaScript runtime to address this need. QuickJS runs modern ES2020 and provides an API for the host process to set CPU and memory budgets for the execution environment, which is completely sandboxed. My work so far exposes a basic interface to create VMs, expose APIs from the host to the guest, and evaluate code.
Repo: https://github.com/justjake/quickjs-emscripten
NPM: https://www.npmjs.com/package/quickjs-emscripten
Areas of work:
- Make the library importable as ES modules on the web without a Webpack build step.
- Design higher-level but still security-conscious APIs for building plugin systems on top of the existing library.
- Expose more QuickJS C APIs to library users.
- Performance or ergonomic improvements.
If you share any of these goals or would like to help out, please drop me a line on GitHub (eg by opening an issue), or via any of the links on my HN profile.