npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

workerboxjs

v6.1.1

Published

A secure sandbox to execute untrusted user JavaScript, in a web browser, without any risk to your own domain/site/page.

Downloads

94

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

markwyldemarkwylde

Keywords

sandboxevalexecutejavascriptuntrusted

Readme

WorkerBox

A secure sandbox to execute untrusted user JavaScript, in a web browser, without any risk to your own domain/site/page.

Installation

npm install --save workerboxjs

Usage

import createWorkerBox from 'workerboxjs';

// Note each `workerbox` instance has it's own sandbox
const { run, destroy } = await createWorkerBox();

let callback;
const scope = {
  name: 'Mark',
  getMessage: () => 'Have a great day!',
  setCallback: fn => {
    // You can store arguments, objects, arrays and returned values
    // outside of the scope of your main app, and then call them
    // from anywhere, so long as the worker is not destroyed.
    callback = fn;
  }
};

setInterval(() => {
  if (callback) {
    // This will communicate with the workerbox transparently.
    callback();
  }
});

// You can save state between running code
// But this will not save between different workerbox instances.
await run(`
  globalThis.sharedVariable = 123
`);

const result = await run(`
  // globalThis.sharedVariable === 123;

  async function sayHello (who) {
    return 'Hello ' + who + '. ' + await getMessage();
  }

  return sayHello(name);
`, scope);

// result === 'Hello Mark. Have a great day!'

// Destroys the workerbox, terminating the webworker
destroy()

Errors and Stack traces

Runtime errors should have readable stacktraces, for example:

The following code:

await run(`
  const a = 1;
  a();
`);

Should return the following error:

TypeError: a is not a function
    at sandbox (<sandbox>:2:2)

However syntax errors will not have a stack trace, for example:

The following code:

await run(`
  return 1 +
`);

Should return the following error:

Unexpected token '}'

It would be helpful for your users if you ran the script through a linter or ast parser, to ensure the JavaScript is valid, and provide useful errors if not.

Development

If you want to check this project out locally, you can do the following:

Run your own local server

git clone https://github.com/markwylde/workerbox.git
cd workerbox
npm install
npm run start

Visit https://0.0.0.0:8002 in your browser and make sure to ignore the TLS security errors. Web workers will only work in secure contexts, so we need to do this locally.

Run the demo project

cd demo
npm install
npm run start

Visit https://0.0.0.0:8000 in your browser.

Run the tests

Build the server side component and run the tests:

npm run build
npm test

How does it work?

An iframe is inserted into the page (optionally from a completely separate domain).

The iframe then creates a web worker, and handles posting messages between the iframe, webworker and your own app.

Because the only communication between the user code and the workerbox is done through messaging, the argument inputs and outputs must all be JSON serializable.

Separate domain

While the iframe has the sandbox="allow-scripts" attribute set, and therefore acts like it's on another domain, you can still run the server on another domain if you wish.

const { run } = await createWorkerBox({
  serverUrl: 'https://sandbox.workerbox.net',
  appendVersion: true
});