Look into sandboxing in browser #141
Description
The current sandbox uses isolated-vm which uses (outdated) node-gyp.
Because of this, running restringer in the browser isn't possible, latest NodeJS is not supported, and the system needs python and MSVC build tools installed.
The hosted instance at https://restringer.tech/ seems to be broken as well ("Deobfuscation failure: Server is busy. Try again later." for ~24h now).
Considering this, it may be worth looking into methods of sandboxing code via browser APIs. Being able to run restringer in the browser clientside would get rid of the painful installation and stop requiring a backend (aside from just serving the frontend files, which could just as well be done via ex. github pages).
An alternative to using isolated-vm might be to use iframe elements with sandbox property.
Communication between the main script and the Sandbox can be done via postMessage. This is safe because postMessage uses structured clone which does not copy functions or prototypes, so even in the case of full sandbox compromise, code execution or prototype pollution could not affect the main script.
(and even if the main script were compromised, the impact would be minimal if the site is hosted on a clean domain/origin which doesnt host any more important services)
Are there any other blockers preventing running in browser aside from the sandbox and some imported nodejs APIs (fs, crypto, url; for which browser-available alternatives should be easy to find)?
Nodejs support could still be kept at the same time by creating separate browser/node implementation files for things like the Sandbox class, and then importing the right one based on environment
- if you prefer staying away from js build/bundle tools, this should be possible by just using
- subpath imports in npm (for nodejs usage and downstream frontend projects using npm+build tool)
- import maps in the browser (for direct browser usage without build tool, e.g. direct github pages hosting of the repo src)
- otherwise, just about every modern js build tool also supports build-time import maps, which could be configured differently for the two build targets
Or do you think that this sounds too complicated/is not a goal you are interested in, and would be better suited as a fork?