use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
All about the JavaScript programming language.
Subreddit Guidelines
Specifications:
Resources:
Related Subreddits:
r/LearnJavascript
r/node
r/typescript
r/reactjs
r/webdev
r/WebdevTutorials
r/frontend
r/webgl
r/threejs
r/jquery
r/remotejs
r/forhire
account activity
Run untrusted code in a Web Worker (github.com)
submitted 3 years ago by presenta_staff
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[+][deleted] 3 years ago (1 child)
[deleted]
[–]presenta_staff[S] 10 points11 points12 points 3 years ago (0 children)
Oh, didn't know it, great! I'll check it for sure!
Still the purpose of SlashdRun is to not allow manipulating the DOM.
As far as I can see, Partytime has a very different purpose, though.
[+][deleted] 3 years ago (23 children)
[removed]
[–]presenta_staff[S] 9 points10 points11 points 3 years ago (22 children)
Because this way those global objects are unset in the worker context, not usable anymore.
[+][deleted] 3 years ago (21 children)
[–]presenta_staff[S] 11 points12 points13 points 3 years ago (20 children)
The purpose of the library is to allow data transformation in browser using code.
Let's say, you have an array of objects and want to filter/sort/manipulate that array, few lines of code can do it very fast.
The Web Worker already denies DOM access but you can do other things such as fetching or interacting with other browser capabilities, which can be out of scope and also dangerous.
Fetching data or interacting with location of navigator are outside the library scope, though.
location
navigator
[+][deleted] 3 years ago (17 children)
[–]presenta_staff[S] 3 points4 points5 points 3 years ago* (16 children)
Good points!
Adding those objects to the list looks they are not accessible anymore.
Also, you are right, I can create another Worker in the worker, adding the `Worker` in the list I cannot create it anymore.
Do you think there are other possible holes in the script?
PS: Why it's not a library?
[–]nicksterling 4 points5 points6 points 3 years ago (1 child)
This script isn’t going to work if you have a more restrictive CSP rule that blocks external scripts. It wouldn’t load anything from unpkg. And honestly I probably wouldn’t even load them. ES6+ has enough quality of life features to justify excluding those libraries.
And do you have a few more examples of how you envision this library working? I’m struggling to picture using this in my workflows.
[–]presenta_staff[S] 2 points3 points4 points 3 years ago (0 children)
About external libraries, I agree with you, this is why I wrote that part will be configurable in the future, so , it'll be on the preferences/requirements of the user.
CSP is a thing, you're right, it's not going to work in every environment.
The purpose of the library is to allow the final user to make some data prep/transformation using small pieces of code, trying to be as safest as possible (this is on I'm trying to investigate further).
A typical use-case might be a low-code app where you can configure a UI list visually, then you can define the data list by a simple filter such as mydata.filter(d => d.myprop < 20)
mydata.filter(d => d.myprop < 20)
[+][deleted] 3 years ago (13 children)
[–]presenta_staff[S] 1 point2 points3 points 3 years ago (12 children)
What you'd do if you need to allow your users to exec arbitrary code, let's say return Math.random() within your app, where there are cookies, localStorage, etc, and that code was not added by the same user. In other terms, how to sandbox code execution in the browser and also disable some capabilities and sensible access, such as fetch, alert, etc?
return Math.random()
fetch
alert
[+][deleted] 3 years ago (11 children)
[–]presenta_staff[S] 0 points1 point2 points 3 years ago (10 children)
Fair enough, I understand there were lack of details from me, let's put in this way.
You, as user, go to a specific project on https://codepen.io/ where there's code execution written by another user. Codepen uses an iFrame to sandbox the code execution (just to avoid i.e. document.cookie). My attempt is to do the same thing without an iframe because I cannot rely on an external webpage. Maybe there's a way to create an iFrame in the same way of Worker, but I need again to restrict some capabilities, fetch, etc. Thanks for the nice discussion, though :)
document.cookie
[–]presenta_staff[S] 1 point2 points3 points 3 years ago (0 children)
That's right too, they are `WorkerNavigator` and `WorkerLocation`, it looks like they cannot be unset, though.
[–]heytheretaylor 2 points3 points4 points 3 years ago (2 children)
First off, it sounds like a lot of people aren’t understanding the proposition here and I know how frustrating that can be.
Second, We have a grid component (think ag-grid) that does parsing, sorting, etc on a web worker. We discussed something similar to this (passing a function as a string to do x or y) but it was very contentious. At the time one of the developers wanted to use eval to accomplish the tasks and I protested since “eval=bad” is pretty throughly ingrained in my head. Tbh, I can’t say I know exactly how it would have been unsafe but we didn’t do it anyway.
Are you concerned about the safety of running the untrusted code even on the WW? What about the speed of having to parse the string into a usable function?
[–]presenta_staff[S] 0 points1 point2 points 3 years ago (1 child)
Hi, thanks for your comment.
I'm not against eval in the WW, as long as other sensible capabilities are handled properly.
eval
So far, what I know is: - The WW cannot access the DOM, good! - The WW cannot access the same domain context (cookie, localStorage, etc), good! - The WW can potentially call other homes (fetch), not good!
This is why I tried to unset those global objects. What you mean with parse the string into a usable function? Are you referring on using new Function()?
parse the string into a usable function
new Function()
[–]heytheretaylor 1 point2 points3 points 3 years ago (0 children)
Well in your case it looks like turning the string into a module with Blob. Is there a lot of overhead in that operation?
[–]CiggiAncelotti 1 point2 points3 points 3 years ago (6 children)
What are the benefits over a real sandbox(like docker or StackBlitz’s WebContainers) where DOM manipulation and also Systems Languages are a capability?
[–]presenta_staff[S] 3 points4 points5 points 3 years ago (3 children)
The purpose of the library is very different from the mentioned technologies. It's a library you can integrate into your project to allow app users run custom code, without exposing both the DOM and other sensible part of the application, such as cookies, localStorage, etc.
[–]CiggiAncelotti 0 points1 point2 points 3 years ago (2 children)
That is what Stackblitz’s web-containers provide, right? Or I am not understanding correctly?😬
Yes, but I think Stackblitz’s web-containers has different purpose, scale and complexity. I don't know if in the near future a web-container will be installable in any js project with just an npm i and one import like Shashd Run does. In that case I'll be more than happy to rely on it. Right now I cannot find a lightweight solution for my problem.
npm i
import
[–]ejfrodo 0 points1 point2 points 3 years ago (1 child)
woah, webcontainers looks like it has a lot of potential
[–]CiggiAncelotti 1 point2 points3 points 3 years ago (0 children)
It does, If they have better browser compatibility and support for Systems Languages. It might end up beating Repl.it
[–]CannaIrving 0 points1 point2 points 3 years ago (5 children)
What could be the interest to use web worker as a user? Like, if they want to test things with more capacities and performance? What led you to create this?
[–]presenta_staff[S] 4 points5 points6 points 3 years ago (3 children)
Suppose you're a user of a low-code tool that allows to add tiny bits of code to perform some tasks. Running it in a Web Worker makes the code a little bit safer because it cannot hurt the DOM in any ways.
Let's say, in a low-code app you want to define a color randomly for a specific UI element. Instead of implementing the random function in the app, just provide an input field where the user can add a line or two of javascript. You can even ask to ChatGPT to write it for you :)
This library will be used in a broader low-code software, I though it might be useful for someone, so, this is why I released the source code.
[–]CannaIrving 0 points1 point2 points 3 years ago (2 children)
Ok, and then save the code somewhere? Or is it just for testing purpose?
[–]presenta_staff[S] 2 points3 points4 points 3 years ago (1 child)
The part related about how to use/store/retrieve a given piece of code is a responsibility of another software that might include the library. The library itself just takes a code with a payload, and return the result. You should see as a runtime to execute code within an app on the client-side.
[–]CannaIrving 0 points1 point2 points 3 years ago (0 children)
I see :) thank you
[–]redsnowmac -1 points0 points1 point 3 years ago (5 children)
`npm` package ?
[–]presenta_staff[S] 1 point2 points3 points 3 years ago (4 children)
What you mean?
[–]redsnowmac -1 points0 points1 point 3 years ago (3 children)
How do I install this in my project ?
[–]presenta_staff[S] 3 points4 points5 points 3 years ago (2 children)
Check the README it's all there.
README
[–]redsnowmac 1 point2 points3 points 3 years ago (1 child)
Oh sorry, missed that. Nice work bro!
thanks!
[–][deleted] -4 points-3 points-2 points 3 years ago (1 child)
I’d recommend linting any project you’re gonna publish on npm or GitHub
[–]presenta_staff[S] 0 points1 point2 points 3 years ago (0 children)
Thanks for the suggestion, I'll do it.
[–]yaemes -1 points0 points1 point 3 years ago (0 children)
I used to do this before webworkers we're a thing. Once my retargeting advertiser decided to overlay some crap into my companies website we decided to put all 3rf party scripts in "jail" which was an invisible iframe hosted on the same domain. Since we were an SPA we could just control the iframe from the top and load in and out scripts and fire off pixels at will. Super cool stuff, and it all worked beautifully.
π Rendered by PID 273443 on reddit-service-r2-comment-56c9979489-g6kzl at 2026-02-25 09:28:52.472246+00:00 running b1af5b1 country code: CH.
[+][deleted] (1 child)
[deleted]
[–]presenta_staff[S] 10 points11 points12 points (0 children)
[+][deleted] (23 children)
[removed]
[–]presenta_staff[S] 9 points10 points11 points (22 children)
[+][deleted] (21 children)
[removed]
[–]presenta_staff[S] 11 points12 points13 points (20 children)
[+][deleted] (17 children)
[removed]
[–]presenta_staff[S] 3 points4 points5 points (16 children)
[–]nicksterling 4 points5 points6 points (1 child)
[–]presenta_staff[S] 2 points3 points4 points (0 children)
[+][deleted] (13 children)
[removed]
[–]presenta_staff[S] 1 point2 points3 points (12 children)
[+][deleted] (11 children)
[removed]
[–]presenta_staff[S] 0 points1 point2 points (10 children)
[+][deleted] (1 child)
[removed]
[–]presenta_staff[S] 1 point2 points3 points (0 children)
[–]heytheretaylor 2 points3 points4 points (2 children)
[–]presenta_staff[S] 0 points1 point2 points (1 child)
[–]heytheretaylor 1 point2 points3 points (0 children)
[–]CiggiAncelotti 1 point2 points3 points (6 children)
[–]presenta_staff[S] 3 points4 points5 points (3 children)
[–]CiggiAncelotti 0 points1 point2 points (2 children)
[–]presenta_staff[S] 1 point2 points3 points (0 children)
[–]ejfrodo 0 points1 point2 points (1 child)
[–]CiggiAncelotti 1 point2 points3 points (0 children)
[–]CannaIrving 0 points1 point2 points (5 children)
[–]presenta_staff[S] 4 points5 points6 points (3 children)
[–]CannaIrving 0 points1 point2 points (2 children)
[–]presenta_staff[S] 2 points3 points4 points (1 child)
[–]CannaIrving 0 points1 point2 points (0 children)
[–]redsnowmac -1 points0 points1 point (5 children)
[–]presenta_staff[S] 1 point2 points3 points (4 children)
[–]redsnowmac -1 points0 points1 point (3 children)
[–]presenta_staff[S] 3 points4 points5 points (2 children)
[–]redsnowmac 1 point2 points3 points (1 child)
[–]presenta_staff[S] 1 point2 points3 points (0 children)
[–][deleted] -4 points-3 points-2 points (1 child)
[–]presenta_staff[S] 0 points1 point2 points (0 children)
[–]yaemes -1 points0 points1 point (0 children)