Ask HN: Web Workers to Run User Code in Browser
So I built Data Janitor (https://www.csvjson.com/datajanitor) a tool to allow users to clean and transform tabular data in the browser running their own JavaScript function. I use Web Workers to isolate the code for security and performance purposes (the user can press Stop to halt the worker).
With regards to security, is this a good idea? What can I do to further bullet proof this concept. I really want the code to run on the user's computer - not server-side. For efficiency and privacy reasons.
Worker JavaScript is here: https://github.com/martindrapeau/csvjson-app/blob/master/js/src/sandbox.js It is called here: https://github.com/martindrapeau/csvjson-app/blob/master/js/src/datajanitor-code.js#L100
4 comments
[ 3.1 ms ] story [ 15.2 ms ] threadI have done some investigation on this topic, initially I did something similar to yours, run code in a webworker. But because I want the users to render graphics, webworker is very limited (offscreencanvas) and doesn't support mobile well.
https://stackoverflow.com/questions/5044608/javascript-sandb...
both google and facebook have developed some kind of sandbox for javascript. I briefly checked the google thing, I didn't like it, because it put limitations on the javascript users can write. it also needs a compiler server, which adds complexity to my backend.
my current choice is similar to that of jsfiddle, codepen and observablehq.com, I let users to run code in a sandboxed iframe. I have some restrictions on the iframe and the iframe is served with a different domain, so it is isolated from my main site.
https://stackoverflow.com/questions/8004001/how-does-jsfiddl...
In my case I do not want user code to gain access to the DOM.
Wondering if anyone's wrapped a worker inside an iframe to offer that extra security.