Isolating code evaluation

[strogonoff]

Thanks for a very cool library!

This is a bit of an open-ender, so I decided to use discussions instead of filing an issue.

For things like handlers and so on this library seems to rely on evaluating given code, which is totally understandable. However, I’m curious whether it would be a valid use case to use the library such that all string-evaluated code runs in an isolated context (e.g., sandboxed web worker, QuickJS, or something like that). So that the “host” app could combine third-party components but they could not affect the host app (inadvertently or intentionally).

My understanding is this:

• Some features would not work (e.g., if there’s no window then windowprops go out of the… window), but that’s obvious.
• getFunctionFromEval() is the main entry point where any code is evaluated from string. Unless I’m missing some other places?
• Dynamic components are tricky, because they require ongoing evaluation of the code on each render. Putting that evaluation into an isolated context would likely make GUI too slow. The only way to make fully dynamic components work usably is by wrapping everything in a sandboxed iframe (subject to any sandboxing escapes), and call getReactComponent etc. in there.
• outputHTML to get non-dynamic output is easier, if that function doesn’t require access to DOM then the host could execute the whole thing in isolated context and then incorporate finished HTML into DOM in the host. However, without extra checks it would still be insecure without a sandbox (even if getFunctionFromEval() is fully isolated, if host dangerously sets inner HTML then components can sneak some JS in there and have user’s browser execute that in host context).

Perhaps maintainer or other users will have thoughts…