The browser is the sandbox

Posted by enos_feedler 1/26/2026

The browser is the sandbox(aifoc.us)

https://simonwillison.net/2026/Jan/25/the-browser-is-the-san...

352 points | 191 commentspage 5

dawie 1/26/2026|

Is the source code on GitHub?

tomashubelbauer 1/26/2026|

https://github.com/PaulKinlan/Co-do/

kinlan 1/26/2026||

You beat me to it. Thanks for sharing it

written-beyond 1/26/2026||

I applaud you sir!

You've successfully hacked the collective HN hive mind. I can't go a week without either seeing your post on the frontpage, someone mentioning you, your comment branching into a huge thread or obligatory pelican riding bike SVG.

I don't personally have a taste for LLM comparison posts but your consistency has paid dividends. SimonW is tattooed in my eyelids, a name I shall never forget. Wishing you all the best.

dekerklas 1/26/2026||

[dead]

MOAAARRR 1/26/2026||

[dead]

tdhz77 1/26/2026||

[flagged]

rcarmo 1/26/2026||

As someone who's been blogging since 2002, I can tell you first hand that you get a fair amount of outreach. But I even though I have had to put Simon's feed through a summarizer to be able to keep up, I don't see any bias there--just _a lot_ of writing about whatever he's interested in, and either our own perceptions of what is interesting and the law of averages inevitably kick in and there are a few duds here and there.

hantusk 1/26/2026|||

Good opportunities arise for those who stick their neck out. Here's some inspiration for what to blog about: https://simonwillison.net/2022/Nov/6/what-to-blog-about/

It seems he started his blog in 2003: https://simonwillison.net/2003/Jun/12/oneYearOfBlogging/

rvz 1/26/2026||

And ever since Nov 2022 and beyond, his blog is now majority riddled with non-stop AI, LLMs, Chatbots and Agents slop which is what the parent comment is talking about.

As for the "browser is the sandbox" running untrusted code in the user's browser increases the risk of an unintended RCE via a sandbox escape which can be done in Chrome [0]. WASM is not going to save you either [1].

[0] https://www.ox.security/blog/the-aftermath-of-cve-2025-4609-...

[1] https://issues.chromium.org/issues/334120897

rzmmm 1/26/2026|||

He is a familiar blogger for HN readers, has been for a long time. While I agree the posts are nowadays a bit repetitive, he has also very interesting non-AI content. Some people probably upvote because they like the author, not necessarily the content.

nextaccountic 1/26/2026||

I don't understand this criticism. Most agents today are running with no sandboxing at all. Every person has to figure out how they will sandbox each agent (run under bubblewrap? container-use? what about random MCP servers, do they need to be sandboxed separately?) on an ad hoc basis. Most people don't bother with it.

And then you see the recent vulnerabilities in opencode for example. The current model is unsustainable

It would be great if desktop Linux adopted a better security model (maybe inspired by Android). So far we got this https://xkcd.com/1200/ and it's not sufficient

zkmon 1/26/2026||

Coding agents may become trivial artifacts to be assembled by developers themselves from libraries, given the well-defined workflow. If it is a homegrown agent then you probably don't need a sandbox to run in.

apignotti 1/26/2026|

The browser is the most effective environment to distribute and isolate applications. We have built technologies for years to leverage these capabilities to run legacy Java (CheerpJ) and x86 binaries (Cheerpx / WebVM).

We are soon going to release a new technology, built on top of the same stack, to allow full-stack development completely in the browser. It's called BrowserPod and we think it will be a perfect fit for agents as well.

https://browserpod.io