← Back to Topics

Browser Untrusted Code Security

The cluster debates the safety of executing untrusted JavaScript in web browsers, emphasizing sandboxing and mitigations as sufficient, while questioning the need for additional protections or running such code outside browsers.

πŸ“‰ Falling 0.5x Security
5,796
Comments
20
Years Active
5
Top Authors
#5827
Topic ID

Activity Over Time

2007
5
2008
26
2009
63
2010
87
2011
168
2012
218
2013
366
2014
324
2015
284
2016
357
2017
350
2018
508
2019
454
2020
476
2021
460
2022
484
2023
387
2024
361
2025
378
2026
40

Top Contributors

tptacek (74) superkuh (38) userbinator (29) danShumway (23) pdkl95 (21)

Keywords

HAVE IMHO JIT JS CORS Keybase.io JavaScript OS VM URL browser untrusted security javascript code browsers js sandboxed malicious web

Sample Comments

cosarara β€’ Sep 3, 2019 β€’ View on HN

Browsers have mitigations in place, don't they? Aren't they enough, at least on paper?

charcircuit β€’ Aug 6, 2025 β€’ View on HN

This is like asking why do web browsers need to sandbox javascript. Giving full permissions to untrusted code is an attacker's dream.

swiley β€’ Apr 27, 2021 β€’ View on HN

There is a way to do that: don't run untrusted code outside the browser.

ghshephard β€’ May 25, 2020 β€’ View on HN

You run untrusted code every day you browse the web.

bradleybuda β€’ Oct 2, 2022 β€’ View on HN

A web browser is an application that safely executes untrusted remote code. It sounds like you don’t want to use a web browser.

CyberDildonics β€’ Aug 28, 2020 β€’ View on HN

I'm pretty sure web browsers are sandboxed and that it has taken a significant effort to get there.

perlgeek β€’ Nov 23, 2014 β€’ View on HN

Adding the browser to the mix won't make it much more secure, I fear.

ivraatiems β€’ Jul 19, 2025 β€’ View on HN

It's not a good idea to rely on the browser being safe when the OS itself is unsafe.

smolder β€’ Nov 3, 2024 β€’ View on HN

You're talking like android and ios are the only platforms. The downsides of those platforms don't justify a web browser (which should be safe to use) granting excessive capability to untrusted code.

dahart β€’ Nov 5, 2018 β€’ View on HN

Hilariously awesome.I'm curious whether the multiple warnings about running untrusted code in the browser are necessary. I feel like all websites are already untrusted code, and the browser is quite well sandboxed and protected from anything too bad happening. What is the worst case scenario here for the user within the JS ecosystem, under known avenues of attack, not counting an unknown zero day browser exploit?