The browser is the sandbox

Posted by enos_feedler 20 hours ago

The browser is the sandbox(simonwillison.net)

330 points | 175 comments

simonw 17 hours ago|

This is an entry on my link blog - make sure to read the article it links to for full context, my commentary alone might not make sense otherwise: https://aifoc.us/the-browser-is-the-sandbox/

secure 14 hours ago||

You might want to add a little note to that effect to your link blog :)

I have added year indicators to my blog (such that old articles have a prominent year name in their title) and a subscribe note (people don’t know you can put URLs into a feed reader and it’ll auto-discover the feed URL). Each time, the number of people who email me identical questions goes down :)

Anyway, thanks for blogging!

written-beyond 4 hours ago||

I applaud you sir!

You've successfully hacked the collective HN hive mind. I can't go a week without either seeing your post on the frontpage, someone mentioning you, your comment branching into a huge thread or obligatory pelican riding bike SVG.

I don't personally have a taste for LLM comparison posts but your consistency has paid dividends. SimonW is tattooed in my eyelids, a name I shall never forget. Wishing you all the best.

stevefan1999 19 hours ago||

We never say that it isn't. There is a reason Google developed NaCl in the first place that inspired WebAssembly to become the ultimate sandbox standard. Not only that, DOM, JS and CSS also serves as a sandbox of rendering standard, and the capability based design is also seen throughout many browsers even starting with the Netscape Navigator.

Locking down features to have a unified experience is what a browser should do, after all, no matter the performance. Of course there are various vendors who tried to break this by introducing platform specific stuff, but that's also why IE, and later Edge (non-chrome) died a horrible death

There are external sandbox escapes such as Adobe Flash, ActiveX, Java Applet and Silverlight though, but those external escapes are often another sandbox of its own, despite all of them being a horrible one...

But with the stabilization of asm.js and later WebAssembly, all of them is gone with the wind.

Sidenote: Flash's scripting language, ActionScript is also directly responsible for the generational design of Java-ahem-ECMAScript later on, also TypeScript too.

chime 18 hours ago||

> Sidenote: Flash's scripting language, ActionScript is also directly responsible for the generational design of Java-ahem-ECMAScript later on, also TypeScript too.

I feel like I am the only one who absolutely loved ActionScript, especially AS3. I wrote a video aggregator (chime.tv[1]) back in the day using AS3 and it was such a fun experience.

1. https://techcrunch.com/2007/06/12/chimetv-a-prettier-way-to-...

lukan 17 hours ago|||

How did you got that impression?

There is the universal hate for flash because it was used for ads and had shitty security, but anyone I know who actually used AS3 loved it.

At its peak, with flex builder, we also had a full blown UI Editor, where you could just add your own custom elements designed directly with flash ... and then it was all killed because Apple did not dare to open source it, or put serious efforts on their own into improving the technical base of the flash player (that had aquired lots of technical dept).

as1mov 15 hours ago|||

> There is the universal hate for flash because it was used for ads and had shitty security

That's only one side of it. Flash was the precursor to the indie/mobile gamedev industry we have today (Newgrounds, Miniclip, Armor Games), before smartphones become ubiquitous. Not to mention some rather creative websites, albeit at the cost of accessibility .

Flash's only fault was it's creators were gobbled up by Adobe, who left it in the shitter and ignored the complaints people had about it's security issues.

tptacek 8 hours ago||

It was by design very difficult to secure.

mike_hearn 3 hours ago|||

Arguably, so is the web. A long series of extremely complicated and constantly changing data formats that are nightmarishly difficult to parse, which has to be done in C++ for speed reasons, combined with a full scripting language, which has to be JIT compiled for speed reasons, combined with 30 years of legacy and a security model that was completely ad hoc and more discovered than designed (e.g. the different variants of the same origin policy). Take that and add on top a browser community that doesn't philosophically recognize any limits on what the web is meant to do, so it just keeps getting more and more APIs until one day both Mozilla and the Chrome team decided to just stop pretending and build full blown operating systems on top of them.

I don't think Flash was harder to secure than HTML itself. People just gave up trying because browser vendors used security to purge the web of anything they didn't control.

tptacek 3 hours ago||

Right, so that was exactly what I was thinking when I wrote that. All three of Flash, PDF, and the browser DOM are expansive, ambitious metaformats, containers for every piece of technology that has ever had a bug.

Your take on why Flash didn't survive is more cynical than mine. I genuinely think Apple threw up their hands at the prospect of attempting to solve a security problem on the same scale as the browser itself (something it took them a long time to get a handle on --- along with everyone else --- even after they put the kibosh on Flash).

lukan 7 hours ago|||

You mean intentionally?

I think they just had the focus on features and speed and fps. Not security nor efficency (battery life).

tptacek 5 hours ago||

Not intentionally, but it's one of a couple 90s designs (PDF is another one) that turned out to be goliath security problems just architecturally.

ayewo 11 hours ago||||

> ... and then it was all killed because Apple did not dare to open source it, or put serious efforts on their own into improving the technical base of the flash player (that had aquired lots of technical dept).

IIRC, they couldn't open source Flash due to its use of a number of 3rd party C/C++ libraries that were proprietary.

Adobe's license with these 3rd parties permitted binary-only distribution so it would have meant renegotiating a fresh license (and paying out $$$) for an EOL codebase that had enormous technical debt, as you also acknowledge in your last sentence.

Someone 14 hours ago||||

> and then it was all killed because Apple did not dare to open source it

Did you or, more likely, your phone mistype Adobe? I don’t think Apple ever had the rights to the source or even the source, did they?

lukan 13 hours ago||

Yes, Adobe of course.

mejutoco 17 hours ago||||

It was also leaking memory, which made it very unsuitable for anything long running (like long-running screen displays, ask me how I know).

noduerme 14 hours ago||

This is a misconception. AS3 actually had great garbage collection, and solidly written AS3 code did not leak.

mejutoco 10 hours ago||

Flex player leaked memory like a sieve. After one day or so it would hang the computer. Maybe it was wrongly written, but leak it did. I have experienced it first hand.

Maybe it was the standalone flex player instead of the web Flash player?

lukan 9 hours ago||

My memory is a bit fuzzy, do not remember flex player, did you mean AIR?

(Flash for desktop, with file access)

noduerme 13 hours ago||||

I'm in a terrible situation right now where I promised a client a fairly simple web-based game, to be delivered in pixijs. Pixi is great for what it does, and as an old time Flash game coder, I find it mostly does enough for procedural stuff, although it's got its share of quirks, gotchas, bugs and memory leaks. What I didn't think about was how to get prefab vector animations into this game - not sprite sheets, but cut scenes that I wanted to be essentially animated SVGs. So I started to go the Adobe Animate route and found to my horror that it's basically Flash stripped of all its useful tools and riddled with bugs; there's no good way to import those animations as vectors or even as bitmaps into Pixi. Animate's exporter still runs on EaselJS code from 2015 and just spits out badly formed json files that misrepresent the tweens. Worse still, it can't even pack textures correctly or consistently. It appears to size them at random based on what size they are in some random frame. And it crashes anytime it tries to pack a texture large enough to be useful. It's not an understatement to say that Flash 7 or 8, in the early 2000s, was far more advanced and powerful.

So what would have taken a day or two back when Flash was available is now taking a week of hand-writing tweens and animations in raw Typescript, one layer at a time.

Since I happened to write the first canvas-based interactive screen graph code that Grant Skinner partially ripped off to create EaselJS, and since I'm sure he's making a fine living from Adobe licensing it, it's especially galling that I'm still paying for a CC license and this is what I get when I want to use a GUI to make some animations to drop into a game.

It's the first time I've done a 2D game since 2017, and I had over a decade of experience building games in Flash/AIR before that. It's just mind-blowing how stupid and regressed Adobe's tooling has become in the past few years, and how much harder it is to do simple things that we took for granted in the heyday of Flash authoring. There really is still no equivalent workflow or even anything close. I guess that post-Flash, there aren't enough people making this kind of web game content for there to be a solid route without using Unity or something.

dyarosla 6 hours ago|||

I also worked on a number of Flash projects in its heyday. I agree that there aren’t really any close equivalents to its feature set today, but there are some tools like Rive and Lottie that I’d consider modern day reimaginings for many multimedia workflows.

lukan 13 hours ago|||

Yes, I know what you mean. I gave up on Adobe Animate.

Pixi is great for anything that is a texture, then it is really fast. Otherwise it is not a flash replacement.

I do not use it for vector animations, but spritesheets or a webm video overlay is what I would use in your case.

noduerme 13 hours ago||

yeah, I really didn't want to use video. The vectors are around 64kb per cut scene. I don't want to create several Mb worth of mp4s for each one.

lukan 13 hours ago||

Did you give it a try? If the scenes are quite short, I found webm to have a reasonable small size.

But .. it bothers me of course as well, having a full video of rastergraphic what could be just some vector and animation data.

noduerme 13 hours ago||

I haven't tried with webm. But they need to play full screen on desktop and also stream well on mobile.

I might try Spine, I've heard some positive things. They'll still end up as textures in pixi but maybe at least they can pack well.

simonh 14 hours ago|||

Adobe, not Apple.

Semaphor 17 hours ago||||

> I feel like I am the only one who absolutely loved ActionScript,

I never really worked with it, but it seems whenever it comes up here or on Reddit, people who did, miss it. I think the authoring side of Flash is remembered very positively.

arthens 12 hours ago||||

My experience with AS3 is limited to a single project ~18 years ago, but I still remember it with fondness. No other language ever got close to how much I liked AS3.

nitwit-se 12 hours ago|||

Not the only one. I have great memories from many years spent building real products in AS3 - some of them even had users!

For a while RIM/Blackberry was using Adobe Air - on the Playbook and also the built-in app suite in the lead up to the launch of BB10. The latter never saw the light of day though, a late decision was made to replace all of the built-in apps with Qt/Cascades equivalents (if I remember right this was due largely to memory requirements of the Air apps).

pjmlp 13 hours ago|||

Java is unrelated to ActionScript, LiveScript became JavaScript due to Sun/Netscape business agreements.

drysine 18 hours ago||

>all of them being a horrible one

Silverlight was nice, pity it got discontinued.

pjmlp 18 hours ago||

Lets not forget it was actually the platform for Windows Phone 7, existed as alternative to WinRT on Windows 8.x, only got effectively killed on Windows 10.

Thus it isn't as if the browser plugins story is directly responsible for its demise.

mg 15 hours ago||

This is a great example of how useful the File System Access API is.

On http://co-do.xyz/ you can select a directory and let AI get to work inside of it without having to worry about side effects.

The Fily System Access API is the best thing that happened to the web in years. It makes web apps first class productivity applications.

storystarling 4 hours ago||

It definitely makes deployment cheaper, but I'm skeptical about relying on the browser for state management in longer chains. I tried this for a publishing tool and ended up migrating back to LangGraph and Celery just to ensure reliability. The infrastructure savings weren't worth the headache of handling edge cases on the client.

layer8 15 hours ago|||

> It makes web apps first class productivity applications.

They won’t be first-class as long as native UI still has the upper hand.

whywhywhywhy 14 hours ago|||

This battle is long won in favor of webtech in every realm but 3d/video editing/audio work/things that do gpu heavy lifting like game engines.

Outside those sort of spaces it’s hard to name a popular piece of software still on native that isn’t a wrapped webapp.

Sammi 12 hours ago||

> video editing

cough CapCut cough

cobolexpert 15 hours ago|||

In which way does native UI have the upper hand, do you think? To me it seems like a lot of users are largely indifferent to this aspect (e.g. so many applications nowadays being Electron/browser based). If browsers keep gaining capabilities then it seems like this gap will get even smaller.

TingPing 12 hours ago||

I’ve never used a webapp that felt nicer than native software, it’s always very clearly a compromise.

simonw 12 hours ago||

I can't tell what's a web app and what's native these days. Are you sure you can?

TingPing 11 hours ago|||

I'd have a very good hit rate, it mostly comes down to knowledge of toolkits. There are native apps that use their own toolkit, mostly written in Rust these days, and they always are worse than traditional toolkits (accessibility, respecting platform settings, visually fitting in, etc). That same issue applies to webapps typically.

auggierose 14 hours ago||

Unfortunately, this feature of the API is not supported (yet?) either by Safari or Firefox.

mmis1000 14 hours ago|||

The guarantee of web page never edit file on your disk(only create new ones) does not hold on this api though. I know it's what makes this api useful. But at the same time, there is big risk that user never expected this and results into giant security issue.

Firefox and safari are generally very conservative about new api that can enable new type of exploits.

At least firefox and safari does implement origin private file system. So, while you can't edit file on user disk directly. You can import the whole project into browser. Finish the edit and export it.

cxr 13 hours ago||||

Browsers have had widespread support for processing files via drag-and-drop and the <input> element since HTML5 (< 2015). The last holdout on allowing the filepicker to accept a full directory (and its subdirectories, recursively—rather than 1 or N individual files) was Safari sometime around (before) 2020.

The Chrome team's new, experimental APIs are a separate matter. They provide additional capabilities, but many programs can get along just fine without since they don't don't strictly need them in order to work—if they would ever even have end up using them at all. A bunch of the applications in the original post fall into this category. You don't need new or novel APIs to be able to hash a file, for example. It's a developer education problem (see also: hubris).

jefftk 8 hours ago||

Providing a web app with edit access to a local directory is really needed for this to be usable. Without that you're constantly managing downloaded files and manually replacing things. I do think this is a case where the File System Access API shines.

cxr 7 hours ago||

> Providing a web app with edit access to a local directory is really needed for this to be usable.

"This" what? sha256sum doesn't need read-write access for even one file to be able to compute a hash, let alone a whole directory. You're ignoring most of my comment, focusing on like 20%, and in so doing, missing (and/or deliberately misframing) 100% of the point.

jefftk 7 hours ago||

We're talking about Simon's boosting of https://aifoc.us/the-browser-is-the-sandbox/ which is a prototype of Claude Cowork in the browser. That's what I'm saying needs read-write access.

cxr 5 hours ago||

> https://aifoc.us/the-browser-is-the-sandbox/ which is a prototype of Claude Cowork in the browser

Yup. That's the link, all right—the one we all read and that I'm citing examples from. Thanks for the reminder, I guess: it has been a whole 8 hours since I first looked at it.

What "we" are talking about here, in this subthread, is the fact that "Browsers have had widespread support for processing files" for a long, long time, and that although "Chrome team's new, experimental APIs [...] provide additional capabilities" which are undoubtedly useful for certain programs, they're overkill and don't offer anything new and/or strictly necessary for many, many programs that don't actually need that sort of access—including "A bunch of the applications in the original post [that] fall into this category. You don't need new or novel APIs to be able to hash a file, for example."

Which is to say, we're talking about POLP/POLA. And the point of my comment was to address the very worthwhile matter of POLA violations. But you seem insistent on shutting that discussion down with chatter that looks like it's an on-topic reply or refutation to something, but in reality doesn't actually meaningfully engage with what you're purporting to respond to, or at best comes come across as confused and not particularly attentive.

There are already and will continue to be plenty of opportunities to discuss the acknowledged upsides of the new APIs for the class of programs for which they are strictly necessary. There's a lot of them in this very comment section. It doesn't have to come at the expense of changing the subject in the middle of a different conversation—accompanied by undertones that you're putting some matter to rest.

jefftk 5 hours ago||

I agree we're talking past each other somewhat, but it really feels to me like you're missing the point. Here's the convo:

mg: This is a great example of how useful the File System Access API is ...

auggierose: the API is not supported (yet?) either by Safari or Firefox

you: describes the current situation with cross-browser file input support, says it's a "developer education problem"

me: this specific use case really does need the full API

It read to me, and still does read to me, like you were saying that Kinlan's use of FSA was hubris.

cxr 4 hours ago||

Boy, this has been a really fun and rewarding experience.

> I agree we're talking past each other

You're exactly half right.

Let's make this dead simple: does anyone need any of these new APIs to compute the SHA-2 hash for a file? A simple answer will do. Simple, non-evasive, no "look thither" misdirection.

pjmlp 13 hours ago|||

Because it is a ChromeOS Platform API, not that it matters with the Chrome market share.

ijustlovemath 18 hours ago||

I've found it interesting that systemd and Linux user permissions/groups never come into the sandboxing discussions. They're both quite robust, offer a good deal of customization in concert,and by their nature, are fairly low cost.

nextaccountic 17 hours ago||

Unix permissions were written at a time where the (multi user) system was protecting itself from the user. Every program ran at the same privileges of the user, because it wasn't a security consideration that maybe the program doesn't do what the user thinks it does. That's why in the list of classic Unix tools there is nothing to sandbox programs or anything like that, it was a non issue

And today this is.. not sufficient. What we require today is to run software protected from each other. For quite some time I tried to use Unix permissions for this (one user per application I run), but it's totally unworkable. You need a capabilities model, not an user permission model

Anyway I already linked this elsewhere in this thread but in this comment it's a better fit https://xkcd.com/1200/

nesarkvechnep 12 hours ago|||

There's FreeBSD's Capsicum. It's a full-blown sandboxing mode and capability framework. Unfortunately, Linux didn't adopt it and chose chaos.

curt15 12 hours ago||||

>And today this is.. not sufficient. What we require today is to run software protected from each other. For quite some time I tried to use Unix permissions for this (one user per application I run), but it's totally unworkable. You need a capabilities model, not an user permission model

Unix permissions remain a fundamental building block of Android's sandbox. Each app runs as its own unix user.

surajrmal 12 hours ago|||

Android sandboxing works in spite of the underlying security model, not because of it. It's also really selinux that does a lot of heavy lifting.

goodthenandnow 11 hours ago|||

Subthread from a while ago where I wrote some details on how Android sandboxing architecture uses Linux’s primitives: https://news.ycombinator.com/item?id=40676309

mike_hearn 3 hours ago||||

Yes but systemd is a full blown sandboxing system, and he said the two working in concert.

theteapot 17 hours ago||||

I feel like apparmor is getting there, very, very slowly. Just need every package to come with a declarative profile or fallback to a strict default profile.

fsflover 17 hours ago|||

This is why my daily driver is https://qubes-os.org

realityfactchex 3 hours ago|||

> user permissions/groups never come into the sandboxing discussions

Sometimes *nix user accounts for AI agent sandboxing does come up in discussions. At [0], HN user netcoyote linked to his sandvault tool [1], which "sandboxes AI agents in a MacOS limited user account".

Actually seems like a great idea IMO, to be lightweight, generic, and robust-enough.

[0] https://news.ycombinator.com/item?id=46760777

[1] https://github.com/webcoyote/sandvault

moezd 18 hours ago|||

This assumes people know more than just writing Dockerfiles and push straight to production. This is still a rarity.

ijustlovemath 18 hours ago||

Nowadays, it's fairly simple to ask for a unit file and accompanying bash script/tests for correctness. I think the barrier in that sense has practically vanished.

vbezhenar 17 hours ago|||

Linux kernel is ridden with local privilege escalation vulnerabilities. This approach works for trusted software that you just want to contain, but it won't work for malicious software.

viraptor 17 hours ago||

Ridden? There are issues from time to time, but it's not like you can grab the latest, patched Ubuntu LTS and escalate from an unprivileged seccomp sandbox that doesn't include crazy device files.

vbezhenar 17 hours ago|||

Any sandbox technology works fine until it isn't. It's not like you could escape Java sandbox, but Java applets were removed from the browsers due to issues being found regularly. In the end, browser sandbox is one of the few that billions of people use and run arbitrary code there every day, without even understanding that. The only comparable technology is qemu. I don't think there are many hosters who will hand off user account to a shared server and let you go wild there.

viraptor 16 hours ago|||

> Any sandbox technology works fine until it isn't.

Tautology is tautology.

> but Java applets were removed from the browsers

Java applets provided more scope compared to the browser itself, not less. They're not really comparable to seccomp or namespaces.

> hosters who will hand off user account to a shared server

There's lots of CI or function runners that expose docker-like environments.

vbezhenar 15 hours ago||

> Java applets provided more scope compared to the browser itself, not less. They're not really comparable to seccomp or namespaces.

They are comparable because they provided a restricted sandbox to execute untrusted code.

> There's lots of CI or function runners that expose docker-like environments.

These are running inside VMs.

graemep 15 hours ago|||

> Java applets were removed from the browsers due to issues being found regularly

Java applets were killed off my MS's attempt at "embrace, extent, extinguish" by bundling an incompatible version of Java with IE, and Sun's legal response to this.

whywhywhywhy 14 hours ago|||

They never worked nice and always felt slow, unreliable and janky at the time. It’s easy to blame MS but no one was sad to see the back of them.

graemep 14 hours ago||

I was fine with the few I used, and Java works much better on the hardware we now have. A lot better than a lot of cross platform things we have now.

vbezhenar 13 hours ago|||

No, Microsoft has nothing to do with it. Browsers are controlled by Google and Mozilla and they decided to block Java plugin.

surajrmal 12 hours ago|||

The Linux API surface is massive. And the fact it's written on C leaves lots of room for vulnerabilities. I don't think you need to reach for a VM, but without a slimmer kernel interface, it's difficult to trust the kernel to actually uphold its required duties in the face of adversaries. This is why folks push heavily for microkernels. Chrome needs to work incredibly hard to provide reliable sandboxing as a result.

srcreigh 10 hours ago|||

It shouldn’t come up because it’s not sufficient. How would systemd prevent local JavaScript code from sending DNS, http, webrtc network requests when it’s opened in the users browser?

pjmlp 18 hours ago|||

Because that is actually UNIX user permissions/groups, with a long history of what works, and what doesn't?

ape4 18 hours ago|||

cgroups are part of whats used to implement docker and podman

ijustlovemath 18 hours ago||

True, and they do indeed offer an additional layer of protection (but with some nontrivial costs). All (non-business killing) avenues should be used in pursuit of defense in depth when it comes to sandboxing. You could even throw a flatpak or firejail in, but that starts to degrade performance in noticeable ways (though I've found it's nice to strive for this in your CI).

TingPing 12 hours ago||

Namespaces are very lightweight though? Like single digit overhead.

hendry 17 hours ago||

Agreed! systemd nspawn is actually pretty awesome, though not many people use it.

rcarmo 18 hours ago||

I don't buy it. It might be very useful for a few use cases, but despite all the desktop automation craze and "Claude for cooking" stuff that is inevitably to follow, our computing model for live business applications has, for maintainability, auditability, security, data access, etc. become cloud-centric to a point where running things locally is... kind of pointless for most "real" apps.

Not that I'm not excited about the possibilities in personal productivity, but I don't think this is the way--if it was, we wouldn't have lost, say, the ability to have proper desktop automation via AppleScript, COM, DDE (remember that?) across mainstream desktop operating systems.

storystarling 8 hours ago||

For bootstrapped GenAI apps, moving inference to the browser is basically an economic necessity. I'm refactoring a service right now to offload image generation to the client because the backend GPU costs make the margins impossible otherwise. It makes the architecture much messier, but unless you have VC money to burn on compute, the user's hardware is the only free resource you have.

pjmlp 13 hours ago||

COM is pretty much alive, it is the main delivery mechanism for new Windows APIs since Windows vista, and in the context of your remark powers UI Automation framework.

I have a DDE book somewhere, with endless pages of C boilerplate to exchange a couple of values between two applications on Windows 3.x.

surajrmal 11 hours ago||

I'm not sure new windows APIs use COM as people remember it. Nowadays they are written against WinRT, which is arguably an evolution of COM.

pjmlp 11 hours ago||

Not at all, the WinRT APIs that exist, which is indeed one additional interface (IInspectable), .NET metadata instead of type libraries, application identity, is a minority constrained to WinAppSDK and WinUI 3.0, that barely anyone uses other than Microsoft employees on the Windows team.

If not using WinUI 3.0, or Windows ML with CoPilot+, there is no reason to submit oneself to the pain of using CsWinRT or C++/WinRT bindings with lesser tooling than their UWP counterparts.

The large majority of new APIs, since Vista are based on traditional COM, with the biggest exception being UMDF that in version 2.0 rolled back its COM API from version 1.0, back to a C based one.

augusteo 19 hours ago||

The folder input thing caught me off guard too when I first saw it. I've been building web apps for years and somehow missed that `webkitdirectory` attribute.

What I find most compelling about this framing is the maturity argument. Browser sandboxing has been battle-tested by billions of users clicking on sketchy links for decades. Compare that to spinning up a fresh container approach every time you want to run untrusted code.

The tradeoff is obvious though: you're limited to what browsers can do. No system calls, no arbitrary binaries, no direct hardware access. For a lot of AI coding tasks that's actually fine. For others it's a dealbreaker.

I'd love to see someone benchmark the actual security surface area. "Browsers are secure" is true in practice, but the attack surface is enormous compared to a minimal container.

cxr 12 hours ago||

> What I find most compelling about this framing is the maturity argument. Browser sandboxing has been battle-tested by billions of users clicking on sketchy links for decades[…] No system calls, no arbitrary binaries, no direct hardware access.

For the same reasons given, NPM programmers should be writing their source code processors (and other batch processing tools) to be able to run in the browser sandbox instead of writing command-line utilities directly against NodeJS's non-standard (and occasionally-breaking) APIs.

nezhar 19 hours ago||

I see this as a way to build apps with agentic flows where the original files don't need manipulation; instead, you create something new. Whether it's summarizing, answering questions, or generating new documents, you can use a local/internal LLM and feel relatively safe when tool calling is also restricted.

arjunchint 2 hours ago||

Haha we made a demo couple of months back with the same underlying premise of "The Browser Sandbox is All You Need": https://www.youtube.com/watch?v=PrSYYaZCxsc

We essentially leveraged sandboxes built into Chromium browsers for LLM generated code execution.

This actually simplifies a lot of the setup in the blog post, as it leverages existing sandboxing infra exposed for extensions: https://developer.chrome.com/docs/extensions/how-to/security...

jacobgadek 2 hours ago|

The browser sandbox is incredible for isolated code execution, but I've found it tricky for "local agent" workflows where you actually want the LLM to use the host CLI or filesystem, just safely.

I built a process supervisor (Vallignus) for that specific "OS-level" use case. It wraps the agent to enforce egress filtering and loop detection so it can use local tools without running wild.

Code is here if you're curious: https://github.com/jacobgadek/vallignus

anilgulecha 17 hours ago||

I'd like to point Simon and others to 2 more things possible in the browser:

1) webcontainer allows nodejs frontend and backend apps to be run in the browser. this is readily demonstrated to (now sadly unmaintained) bolt.diy project.

2) jslinux and x86 linux examples allow running of complete linux env in wasm, and 2 way communication. A thin extension adds networking support to Linux.

so technically it's theoretically possible to run a pretty full fledged agentic system with the simple UX of visiting a URL.

simonw 17 hours ago||

I have a very minimal v86 experiment here: https://tools.simonwillison.net/v86

My eventual goal with that is to expand it so an LLM can treat it like a filesystem and execution environment and do Claude Code style tricks with it, but it's not particularly easy to programmatically run shell commands via v86 - it seems to be designed more for presenting a Linux environment in an interactive UI in a browser.

It's likely I've not found the right way to run it yet though.

anilgulecha 16 hours ago|||

On the second tab (which is a text/browser interface to the VM) here: https://copy.sh/v86/?profile=buildroot , you can start sh shell, and run arbitrary commands, and see output. making a programmatic i/o stream is left as an exercise (to claude perhaps :).

Lerc 15 hours ago|||

One of the very first experiments I did with AI was trying to build a browser based filesystem interface and general API provider. I think the first attempts were with ChatGPT 3.5 . I pretty quickly hit a wall, but Gpt4 got me quite a lot further.

I see the datestamp on this early test https://fingswotidun.com/tests/messageAPI/ is 2023-03-22 Thinking about the progress since then I'm amazed I got as far as I did. (To get the second window to run its test you need to enter aWorker.postMessage("go") in the console)

The design was using IndexedDB to make a very simple filesystem, and a transmittable API

The source of the worker shows the simplicity of it once set up. https://fingswotidun.com/tests/messageAPI/testWorker.js in total is just

    importScripts("MessageTunnel.js"); // the only dependency of the worker
  
    onmessage = function(e) {
     console.log(`Worker: Message  received from main script`,e.data);
     if (e.data.apiDefinition) {
       installRemoteAPI(e.data.apiDefinition,e.ports[0])    
     }
     if (e.data=="go") {
       go();
       return;
     } 
  }
  
  async function go() {
      const thing = await testAPI.echo("hello world")
      console.log("got a thing back ",thing)
  
      //fs is provided by installRemoteAPI  
      const rootInfo = await fs.stat("/");
      console.log(`stat("/") returned `,rootInfo)
    
      // fs.readDir returns an async iterator that awaits on an iterator on the host side 
      const dir = await fs.readDir("/")
      for await (const f of dir) {
        const stats = await fs.stat("/"+f.name);
        console.log("file  " +f,stats)
      }
    
  }

I distinctly remember adding a Serviceworker so you could fetch URLs from inside the filesystem, so I must have a more recent version sitting around somewhere.

It wouldn't take too much to have a $PATH analog and a command executor that launched a worker from a file on the system if it found a match existed on the $PATH. Then a LLM would be able to make its own scripts from there.

It might be time to revisit this. Polishing everything up would probably be a piece of cake for Claude.

curtisblaine 17 hours ago|||

> 1) webcontainer

Isn't webcontainers.io a proprietary, non-open source solution with paid plans? Mentioning it at the same level of open source, auditable platforms seems really strange to me.

anilgulecha 16 hours ago||

Technically, it runs on Chrome, so making an open source version is viable. then bolt.diy project was giving opencontainers a shot, which is a partial implementation of the same. But broadly, if this method works, then FOSS equivalent is not a worry, should come soon enough.

szundi 16 hours ago||

[dead]

modeless 19 hours ago||

Last I looked (a couple of years ago), you could ask the user for read-write access to a directory in Chrome using the File System Access API, however you couldn't persist this access, so the user would have to manually re-grant permission every time you reloaded the tab. Has this been fixed yet? It's a showstopper for the most interesting uses of the File System Access API IMO.

vbezhenar 19 hours ago||

Yes, it was improved.

https://developer.chrome.com/blog/persistent-permissions-for...

modeless 18 hours ago||

Thanks, this looks like a very sensible behavior.

kinlan 11 hours ago||

I also implemented this in the example site in the post.

nezhar 19 hours ago||

Good question! Since this is an extension of input, I'm not sure if this is defined: https://developer.mozilla.org/en-US/docs/Web/API/HTMLInputEl....

On my desktop Chrome on Ubuntu, it seems to be persistent, but on my Android phone in Chrome, it loses the directory if I refresh.

Ozzie_osman 14 hours ago|

This sandboxes your file system. That's just one class of problem. People will want to hook this up to their inbox, their calendar, their chats, their source code, their finances, etc. File system secured? Great. Everything else? Not so much.

That said. It's a good start.

More comments...