Running user provided js in quickjs in webassembly in a worker in an sandboxed iframe on a different domain would offer many layers of security
This is very similar to how Third Room’s user generated content engine is being implemented (supporting C, Rust and Zig alongside QuickJS though): https://thenewstack.io/third-room-teases-user-generated-cont...
Another library I found recently, which has a different take (simpler API) for using QuickJS compiled to WASM:
Imagine something like "base system" with WebAssembly, bare bones HTML engine with canvas support and no CSS. So now you can just download your favourite JS engine, your favourite HTML, CSS engines. But browser does not necessarily need to sheep those. It would allow to lower the bar for entry into browser market. I think that even a single person could implement that kind of base browser.
Of course there're many hard questions. For example downloading an entire JS+HTML+CSS engine with every website is not a good approach, some caching must be done. There should not be version hell with every website asking for a different version of engine. But those questions could be approached as a more general web library issues.
Hello, library author here. Happy to answer whatever questions you have.
Is this also possible with Go as the host instead of TypeScript?
Because it wouldn't be HN if someone didn't: https://www.destroyallsoftware.com/talks/the-birth-and-death...
Would you use this to run untrusted JS on the server?
Related:
QuickJS JavaScript Engine - https://news.ycombinator.com/item?id=30598026 - March 2022 (67 comments)
A small but complete JavaScript engine - https://news.ycombinator.com/item?id=24867103 - Oct 2020 (146 comments)
QuickJS JavaScript Engine - https://news.ycombinator.com/item?id=20411154 - July 2019 (261 comments)
QuickJS JavaScript Engine - https://news.ycombinator.com/item?id=20404503 - July 2019 (3 comments)