Limitations can be avoided using a Web extension and Native Messaging #1
Comments
|
That would be super nice to have, but unfortunately that would move away from it being a secure environment and also require an extension kind of going against the easy to setup/accessible nature of sandpack. But definitely something we can explore in the future. |
|
I was just giving you a heads up. If the user already has Node.js, Deno, Bun, QuickJS, txiki.js, etc. executable on their device it doesn't really make sense to me to try to mock Node.js et al., In fact I don't think you can if you are not using V8 as the JavaScript engine. I am not sure what you mean by "secure environment"? The user is in total control of the |
|
@DeMoorJasper An example of dynamically launching, controlling and executing arbitrary commands from the browser and streaming output to the browser using Native Messaging and |
|
Codesandbox's main product is sandboxes so with secure environment I mean an environment where a sandbox cannot access any of your host machine's files/network. Which is mostly impossible with your solution, deno comes close to this but still more friction. We have microvm's for the use-case of full compatibility as that comes with the same security without the need to setup any tooling. |
We are dealing with the executable on the users' machine. The user decides to execute or not execute any commands locally controlled from the browser using a Web extension with Native Messaging. Thus there is no "security" issue using a Web extension with Native Messaging. I think users want to access their host machine. I don't really see a point in attempting to duplicate a Node.js environment when the user has Node.js accessible or installed on the host machine. Just use the local I wish you folks the best of luck. |
I certainly don't. Any maintainer under the sun will tell you what a massive security risk it is for us to run most repros people share with us on our bug trackers. A solution like Nodebox which allows running "in-memory" projects within the scope of the browser is perfect for this kind of use case. |
How is it a security risk for you to run programs, shell scripts, applications on your machine that you control? You can't really emulate running Using Good luck! |
Think about this very carefully. You are proposing that users in the field install closed-source software on their host machine that the maintainers themselves cannot even talk about publicly #7 (comment)
so how are you going to fix any bugs relative to the underlying nodebox-runtime itself that the user installed on their host machine? You can't. Because you can't even talk about the implementation details publicly - yet this is a public repository on GitHub. Again, good luck. |
Users don't really install anything, it's like visiting a web page. That's what makes it secure. |
https://github.com/codesandbox/nodebox-runtime#install
|
That package is entirely open source it's in packages/nodebox in this repo. |
|
O.K. You have to install something though. Which part is closed-source? Normally I don't install |
The actual runtime is closed source, which is what runs in the browser on https://nodebox-runtime.codesandbox.io That npm package is the code to interact with the runtime on that domain. |
|
Don't get me wrong. I get what you are trying to do. I have done similar things using extension code. Using an |
Right, you are suggesting I run third-party closed-source code that you and your team can't talk about. Why would I do that when I can just fetch the Just claiming "secure" and "security" are quickly thrown out the window when the reality is third-party closed-source code that you can't talk about is being employed and relied on. You can't even really address any bugs with the runtime - can't even talk about it. |
|
For your own edification re |
|
You should be able to adapt your current code to use |
|
If the idea is just to run Node.s modules locally we can just fetch Node.js modules from unpkg or jsDelivr on the Web page. If the idea is to also have a one or more local directories to store modules we can use |
|
Looks like there's some confusion about the goal and scope of the Nodebox project. First and foremost, Nodebox is a Node.js-compatible browser runtime, that emulates / polyfills most of its own APIs to run inside a browser environment. Together with Sandpack, which is an in-browser bundler, it allows small to medium Node.js applications (including Vite / Next.js etc. applications, which have a Node.js server-side part) to run entirely inside a browser. What is this useful for? There's two big categories of users:
It's pretty much what Sandpack was already doing for e.g. the React beta docs, but extended to libraries / applications / examples that have a hard dependency on Node.js, e.g. Now, there are two important goals that we set when we started this, which strongly influenced our design decisions:
@guest271314 Your use case seems to be a very narrow subset of the above, where you're both the creator and the consumer, so you can trust the code you want to run, you're on a desktop OS, and you have the |
That is already possible using unpkg, jsDelivr, et al. You are not really running
what happens? |
The term "security" is bantied about a lot in various domains. There is no such thing as "security" re any signal communications based on the fact there is no way for you to verify your signal communications have not been intercepted and analyzed in real-time. What you are essentially describing is |
Note, it is possible to run local
nodeexecutable controlled from the browser using a Web extension and Native Messaging to avoid those limitations, e.g., https://github.com/guest271314/native-messaging-nodejs.The text was updated successfully, but these errors were encountered: