@record/web-assembly

web-assembly

web-assembly is an implementation of the WebAssembly API for secure execution of ECMAScript. It has a footprint of 5KB and does not depend on the DOM.

web-assembly has been designed with efficiency and security in mind. Code is sandboxed purely by means of the JS runtime API. No lexing or parsing is carried out. Security measures are designed to be immune to extensions of the ECMAScript language. The package works in an ES5-compliant manner, making results predictable and security best assessable.

Installation

Install this package using NPM:

npm install @record/web-assembly --save-dev

Usage

import WebAssembly from '@record/web-assembly';

let sandbox = {console};

WebAssembly.instantiate('console.log("Hello world")', sandbox);

See the WebAssembly API documentation for further details.

Method

web-assembly executes scripts synchronously in the global scope. The package has no dependencies, that is, tertiary APIs such as DOM or Worker are not involved. Code is not transpiled.

In order to sandbox code and prevent leaks or side-effects, built-in objects are frozen. That is, any modifications on properties or sub-properties of built-in objects (such as Object.prototype.toString) will be discarded (see the behavior of Object.freeze()).

Objects are thoroughly isolated from the host environment. Variables passed as importObject are completely represented in the sandbox: methods are callable and properties are recursively accessible. However, changes made to these properties are not reflected in the host environment.

Caveats

• Scripts run in strict mode (or a superset, depending on browser support).
• Built-in objects (Object, Array, Date etc.) and their prototypes are immutable.

License

© 2016 Filip Dalüge, all rights reserved.