Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Actually, since javascript has an eval function, shouldn't it be straightforward to support it in the browser?


Straight-up eval() would be the most blatant case of a remote code execution vulnerability the web has ever seen. I don't think it's easy or even possible to build a foolproof sandbox out of eval(). And even then you open yourself to a denial of service since you cannot interrupt the eval().


You can build a foolproof sandbox, but at the 'OS-level', not at the 'language' level. By disabling syscalls and setting resource limits.

You can read more here: http://www.eelis.net/geordi/#faq


I think the link to Geordi is not quite relevant here (although it is super cool): the claim was that it's hard to build a foolproof sandbox out of eval(). If you're using Geordi, since it's a separate process in a chroot, you can't use eval(). If you're giving up on eval(), you can write a foolproof sandboxed JS evaluator in JS alone.

Besides, the hard part with all sandboxes is not making the sandboxing itself solid; that's straightforward. The hard part is giving it a sufficiently rich interface to the outside world to do useful things, while not giving it so rich an interface that it can escape through that hole. All the semi-recent vulnerabilities in qemu, for instance, have been in virtual devices, not in actually emulating a processor.

Geordi's story is relatively easy, since all it does is compile code and execute it in an intentionally-minimal interface. JS on a web page has thousands of things it can do to the web page or to the outside world, if you want to implement it according to spec.


My mistake, You are right. I had read the question as foolproof sandbox that included eval.

One can see the banning the syscalls approach as cutting the Gordian knot.


I think it would still be non-trivial as event bindings, DOM bindings and others things would not work out of the box. It's a super neat idea though.


Actually the non-js part is here by choice. The goal is to do a browser that let you only read things, not interacting, and no distractions.


I agree with you that webpages are sometimes too animations heavy. There is w3m as well that is a read-only browser.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: