zlacker

[parent] [thread] 7 comments
1. Swifty+(OP)[view] [source] 2025-05-30 17:30:41
Kind of almost off-topic: I'm working on a project where I must run possibly untrusted JavaScript code. I want to run it in an isolated environment. This looks like a very nice solution as I could spin up a microsandbox and securely run the code. I could even have a pool os live sandboxes so I wouldn't even experience the 200ms starts. Because this is OCI-compatible, I could even provide a whole sandboxed environment on which to run that code. Would that be a good use case for this? Are there better alternatives?
replies(4): >>appcyp+k1 >>ericb+35 >>apitma+2T >>arjunb+Jy1
2. appcyp+k1[view] [source] 2025-05-30 17:41:41
>>Swifty+(OP)
> Would that be a good use case for this?

That is an ideal use case

> Are there better alternatives?

Created microsandbox because I didn't find any

replies(2): >>Swifty+x4 >>spixy+rS2
◧◩
3. Swifty+x4[view] [source] [discussion] 2025-05-30 18:03:09
>>appcyp+k1
Awesome. This is really good timing. I'm going to give it a try.
4. ericb+35[view] [source] 2025-05-30 18:06:40
>>Swifty+(OP)
runsc / gVisor is interesting also as the runsc engine can be run from within Docker/Docker Desktop.

gVisor has performance problems, though. Their data shows 1/3rd the throughput vs. docker runtime for concurrent network calls--if that's an issue for your use-case.

5. apitma+2T[view] [source] 2025-05-31 03:50:08
>>Swifty+(OP)
You might be able to get away with running QuickJS compiled to WebAssembly: https://til.simonwillison.net/npm/self-hosted-quickjs
replies(1): >>yencab+Bx2
6. arjunb+Jy1[view] [source] 2025-05-31 13:56:49
>>Swifty+(OP)
I recommend trying Javy[0]. Javy allows you to build a WASM file that includes Javy's JS interpreter along with your JS source code. Note that Javy is a heavily sandboxed environment so it doesn't have access to the internet, or npm modules, a desirable feature for running user code.

We're building an IoT Cloud Platform, Fostrom[1] where we're using Javy to power our Actions infrastructure. But instead of compiling each Action's JS code to a Javy WASM module, I figured out a simpler way by creating a single WASM module with our wrapper code (which contains some further isolation and helpful functions), and we provide the user code as an input while executing the single pre-compiled WASM module.

[0] https://github.com/bytecodealliance/javy

[1] https://fostrom.io

◧◩
7. yencab+Bx2[view] [source] [discussion] 2025-06-01 01:39:51
>>apitma+2T
Convenience helper for that: https://github.com/bytecodealliance/javy
◧◩
8. spixy+rS2[view] [source] [discussion] 2025-06-01 08:10:19
>>appcyp+k1
Windows has built-in sandbox and its good.

https://learn.microsoft.com/en-us/windows/security/applicati...

[go to top]