QuickJS Running in WebAssembly(github.com)
github.com
QuickJS Running in WebAssembly
https://github.com/justjake/quickjs-emscripten
27 comments
Running user provided js in quickjs in webassembly in a worker in an sandboxed iframe on a different domain would offer many layers of security
I think that is what Figma does: https://www.figma.com/blog/an-update-on-plugin-security/
The library was inspired by Figma’s blog posts about their plug-in system: https://github.com/justjake/quickjs-emscripten#background
Ah ok, I see.
One of the companies I worked for did exactly that to safely run customers' JS code, while also limiting / extending the API surface available.
The performance was quite adequate.
The performance was quite adequate.
This is very similar to how Third Room’s user generated content engine is being implemented (supporting C, Rust and Zig alongside QuickJS though): https://thenewstack.io/third-room-teases-user-generated-cont...
Another library I found recently, which has a different take (simpler API) for using QuickJS compiled to WASM:
https://github.com/taowen/define-function
https://github.com/taowen/define-function
Imagine something like "base system" with WebAssembly, bare bones HTML engine with canvas support and no CSS. So now you can just download your favourite JS engine, your favourite HTML, CSS engines. But browser does not necessarily need to sheep those. It would allow to lower the bar for entry into browser market. I think that even a single person could implement that kind of base browser.
Of course there're many hard questions. For example downloading an entire JS+HTML+CSS engine with every website is not a good approach, some caching must be done. There should not be version hell with every website asking for a different version of engine. But those questions could be approached as a more general web library issues.
Of course there're many hard questions. For example downloading an entire JS+HTML+CSS engine with every website is not a good approach, some caching must be done. There should not be version hell with every website asking for a different version of engine. But those questions could be approached as a more general web library issues.
Check out Geminispace https://gemini.circumlunar.space - one of the design requirements of the protocol is that it be simple enough that a single person can implement a browser for it in a weekend.
But convergence on a minimal set of solutions is inevitable. Even though Geminispace could have hundreds of browsers, most people just use one of the most popular ones, like Lagrange.
Your solution wouldn't lead to a vibrant marketplace of competing web engines, everyone would just ship the equivalent of Chromium like they do now and call it a day.
But convergence on a minimal set of solutions is inevitable. Even though Geminispace could have hundreds of browsers, most people just use one of the most popular ones, like Lagrange.
Your solution wouldn't lead to a vibrant marketplace of competing web engines, everyone would just ship the equivalent of Chromium like they do now and call it a day.
I'm not sure, just for the fact that the best browser is something that could vary quickly, there might be niches, different native versions...
Like on an Apple II?
https://web.archive.org/web/20150405004057/http://apple2info...
https://web.archive.org/web/20150405004057/http://apple2info...
Cross origin caching of resources is a privacy risk
If site A can tell based on timing information that you probably visited site B recently, that's a pretty big privacy issue
This has largely killed cross-origin caching on the web, as I understand it
If site A can tell based on timing information that you probably visited site B recently, that's a pretty big privacy issue
This has largely killed cross-origin caching on the web, as I understand it
Ah yes, Java applets.
Is this also possible with Go as the host instead of TypeScript?
Yes but not this exact module. You can use wasmtime-go to run wasm modules in go programs. You just need to compile quickjs to wasm
I’m not sure if anyone has done so yet for Go, but Shopify has done this for Rust.
https://github.com/Shopify/javy/tree/main/crates/quickjs-was...
https://github.com/Shopify/javy/tree/main/crates/quickjs-was...
Because it wouldn't be HN if someone didn't: https://www.destroyallsoftware.com/talks/the-birth-and-death...
Would you use this to run untrusted JS on the server?
From what I understand, this allows you to run untrusted js anywhere, as long as there’s a wasm runtime.
This repo in particular is for JavaScript host environments
This repo in particular is for JavaScript host environments
Not sure if I'd trust the wasm runtime. If someone breaks out of that it's game over. QuickJS in a unikernel in something like Firecracker VM would be the most secure approach and still provide good performance and startup time.
Another thing is resource consumption where you likely want to limit cpu- and mem-usage.
Another thing is resource consumption where you likely want to limit cpu- and mem-usage.
I recommend Lambda as an easy way to create ephemeral Firecracker VMs and set overall limits on host + guest. For casual use, the memory and CPU limits available in the library should be enough.
I use it on both client and server. A easy way to get excellent security in the server is to run inside AWS Lambda or similar FaaS that uses strong VM isolation; ideally with a lambda instance per user.
You can just run QuickJS (without std lib) as a separate process running as an unprivileged user with seccomp rules.
WASM probably doesn't add much there.
WASM probably doesn't add much there.
QuickJS JavaScript Engine - https://news.ycombinator.com/item?id=30598026 - March 2022 (67 comments)
A small but complete JavaScript engine - https://news.ycombinator.com/item?id=24867103 - Oct 2020 (146 comments)
QuickJS JavaScript Engine - https://news.ycombinator.com/item?id=20411154 - July 2019 (261 comments)
QuickJS JavaScript Engine - https://news.ycombinator.com/item?id=20404503 - July 2019 (3 comments)