Comment by MobiusHorizons

Comment by MobiusHorizons 19 hours ago

10 replies

View on Hacker News

What is the purpose of compiling this to web assembly? What web assembly runtimes are there where there is not already an easily accessible (substantially faster) js execution environment? I know wasmtime exists and is not tied to a js execution engine like basically every other web assembly implementation, but the uses of wasmtime are not restricted from dependencies like v8 or jsc. Usually web assembly is used for providing sandboxing something a js execution environment is already designed to provide, and is only used when the code that requires sandboxing is native code not javascript. It sounds like a good way to waste a lot of performance for some additional sandboxing, but I can't imagine why you would ever design a system that way if you could choose a different (already available and higher performance) sandbox.

simonw 18 hours ago

I want to build features - both client- and server-side - where users can provide JavaScript code that I then execute safely.

Just having a WebAssembly engine available isn't enough for this - something has to take that user-provided string of JavaScript and execute it within a safe sandbox.

Generally that means you need a JavaScript interpreter that has itself been compiled to WebAssembly. I've experimented with QuickJS itself for that in the past - demo here: https://tools.simonwillison.net/quickjs - but MicroQuickJS may be interesting as a smaller alternative.

If there's a better option than that I'd love to hear about it!

Reply View 7 replies
  • MobiusHorizons 17 hours ago

    This is generally the purpose of JavaScript execution environments like v8 or jsc (or quickjs although I understand not trusting that as a sandbox to the same degree). They are specifically intended for executing untrusted scripts (eg web browsers). Web assembly’s sandboxing comes from js sandboxing, since it was originally a feature of the same programs for the same reasons. Wrapping one sandbox in another is what I’m surprised by.

    Reply View 5 replies
    • simonw 16 hours ago

      Running v8 itself as a sandbox is non-trivial, at least embedded in a Python or Node.js or similar application.

      The web is littered with libraries that half do that and then have a note in the README that says "do not rely on this as a secure sandbox".

      Reply View 4 replies
      • MobiusHorizons 15 hours ago

        Is it though? I have not personally used these libraries, but a cursory google search reveals several options: - cloudflare/STPyV8: [0] From cloudflare, intended for executing untrusted code. - Pythonmonkey: [1] Embeds spidermonkey. Not clearly security focused, but sandboxing untrusted code is literally the point of browser js engines.

        It's a little less clear how you would do this from node, but the v8 embedding instructions should work https://v8.dev/docs/embed even if nodejs is already a copy of v8.

        [0]: https://github.com/cloudflare/stpyv8 [1]: https://docs.pythonmonkey.io

        Reply View 3 replies
kettlecorn 12 hours ago

As I noted in another comment Figma has used QuickJS to run JS inside Wasm ever since a security vulnerability was discovered in their previous implementation.

In a browser environment it's much easier to sandbox Wasm successfully than to sandbox JS.

Reply View 1 reply
  • MobiusHorizons 9 hours ago

    That’s very interesting! Have they documented the reasoning for that approach? I would have expected iframes to be both simpler and faster sandboxing mechanism especially in compute bound cases. Maybe the communication overhead is too high in their workload?

    EDIT: found this from your other comment: https://www.figma.com/blog/an-update-on-plugin-security/ they do not address any alternatives considered.

    Reply View 0 replies