The browser is the sandbox

Posted by enos_feedler 1/26/2026

https://simonwillison.net/2026/Jan/25/the-browser-is-the-san...

352 points | 191 commentspage 4

vermaden 1/26/2026|

I prefer to do that locally using FreeBSD Jails:

- https://vermaden.wordpress.com/2021/12/15/secure-containeriz...

nezhar 1/26/2026||

I like the perspective used to approach this. Additionally, the fact that major browsers can accept a folder as input is new to me and opens up some exciting possibilities.

pdyc 1/26/2026||

that interesting insight, i just added file system support to my internal tool, i thought this was not possible in firefox but the workaround you mentioned works. thanks

by any chance anyone knows if users clicks can be captured for a website/tab/iframe for screen recording. i know i can record screen but i am wondering if this metadata can be collected.

sdoering 1/26/2026|

If you mean capturing click metadata (coordinates, timestamps, target elements) rather than actual pixel recording - yes, that's what tools like Hotjar/FullStory do. They record DOM mutations + interaction events and replay them.

For your own implementation, document-level event listeners work, though cross-origin iframes are off-limits due to same-origin policy.

pdyc 1/26/2026||

yes but i want to capture it without injecting my own js. hotjar etc. need to inject their own js and than they can add mutation observer. I want it for cross-origin frames but after taking users permission similar to screen recording, i guess thats not possible locally.

sdoering 1/26/2026||

> I want it for cross-origin frames but after taking users permission

Sadly not to my knowledge.

segmondy 1/26/2026||

"The browser could be a sandbox" but the browser is definitely not a sandbox. The browser is an environment.

AlienRobot 1/26/2026||

The browser being the sandbox isn't a good thing. It's frankly one of the greatest failures of personal computer operating systems.

Can you believe that if you download a calculator app it can delete your $HOME? What kind of idiot designed these systems?

dekhn 1/26/2026||

It still amazes me just how nonstandard the sandbox in browsers is.

The browser should be a VM host.

bloppe 1/26/2026|

VMs are pretty heavy-weight to run all the JavaScript on a modern page. A proper VM requires a dedicated kernel. Firecracker boots the whole 40MB Linux kernel just to run a "function". A container doesn't have this baggage, but would never be considered secure enough for the web environment.

pplonski86 1/26/2026||

Are you aware of any lightweight sandboxes for Python? not browser based

simonw 1/26/2026|

You mean for running unsafe Python code?

I'm on a multi-year quest to answer that question!

The best I've found is running Python code inside Pyodide in WASM in Node.js or Deno accessed from Python via a subprocess, which is a wildly convoluted way to go but does appear to work! https://til.simonwillison.net/deno/pyodide-sandbox

Here's a related recent experimental library which does something similar but with JavaScript rather than Python as the unsafe language, again via Deno in a subprocess: https://github.com/simonw/denobox

I've also experimented with using wasmtime instead of Deno: https://til.simonwillison.net/webassembly/python-in-a-wasm-s...

syrusakbary 1/26/2026|||

Stay tuned, we are about to release a new version of Wasmer with WASIX, that allows for things that can't currently be done with Pyodide:

  * Multithreaded support
  * Calling subprocesses
  * Signals
  * Full networking support
  * Support for greenlets (say hi to SQLAlchemy!) :)

It requires a small effort in wasmer-js, but it already works fully on the server! :)

pplonski86 1/27/2026|||

Thank you! With WASM I can’t use all pypi packages and can’t connect to database, that’s why I’m looking for python based solution

simonw 1/27/2026|||

In that case you'll need to look at general purpose sandboxes you can run Python in - stuff like Firecracker or Bubblewrap on Linux or sandbox-exec on macOS.

syrusakbary 1/27/2026|||

With Wasmer you should be able to use all pypi packages (even the native ones), although we are a bit light on the native packages we support now

albert_e 1/26/2026||

iframes are cool again :)

kinlan 1/26/2026|

Author of the linked post here, years ago there was a thing called "Magic iframes" that would allow you to move an iframe between windows - like a Service Worker before ServiceWorkers. I was always amazed by some of the things you could do, but now it seems we forget about iframes :D

saagarjha 1/26/2026||

I’m not entirely sure this is better than native sandboxes?

zephen 1/26/2026|

An interesting technique.

The problems discussed by both Simon and Paul where the browser can absolutely trash any directory you give it is perhaps the paradigmatic example where git worktree is useful.

Because you can check out the branch for the browser/AI agent into a worktree, and the only file there that halfway matters is the single file in .git which explains where the worktree comes from.

It's really easy to fix that file up if it gets trashed, and it's really easy to use git to see exactly what the AI did.

More comments...