Secure Modular Runtimes

submited by
Style Pass
2021-05-25 22:00:08

I recently posted the following Tweet with regards to the current state of the third-party security problem in the JavaScript ecosystem: Having worked on and followed modules standards from TC39 and WhatWG to Node.js, it's so so clear that security was, is, and always will be an afterthought. Where are the secure-by-default open platform developments? Crypto is the only community I see doing it.— Guy Bedford (@guybedford) August 21, 2020

Having worked on and followed modules standards from TC39 and WhatWG to Node.js, it's so so clear that security was, is, and always will be an afterthought. Where are the secure-by-default open platform developments? Crypto is the only community I see doing it.

I wanted to fill in some of the background to this from my own work on Node.js modules and security concepts, following the Agoric SES and compartment models, and from a growing feeling of the inadequacy of the Node.js, Deno and browser runtimes for supporting the third-party security needs of the ecosystem.

TLDR; I think we need to think about new more secure runtimes for JS, and it should be a collaborative effort, with the components being modules, adding isolated scopes to import maps, and a careful security model plus compatibility with the existing ecosystem. Skip ahead to the proposal here.

Leave a Comment