Secure Data Connections with SafeJS
We evaluated different approaches, but we wanted something that was safe, fast, and flexible for our needs.
We explored serverless functions as they offer robust security measures. However, relying on external services to run user code raises potential privacy concerns. And, this would mean integrations would only work while the user is online.
Another challenge is speed. Although serverless functions are generally quite fast, they have a slow cold start time. This means we would not be able to provide our users with quick, snappy responses.
For these reasons and a few others, we held off on this approach (for now).
Running user code within the browser offers the advantage of better responsiveness. The browser now even allows for code to be run on threads, meaning the application does not have to freeze while we run the user's code.
However, there are a few problems with this approach, most importantly, security. How do we run user supplied code, in a way that doesn't allow bad actors to write code that could severely affect the user?
We explored solutions that provide this functionality, but none quite met our needs for flexibility. A few of our favorites:
Inspired by these approaches, we decided to create something new that met our needs of safety, speed and flexibility.
SafeJS uses a whitelist system, where we declare what we want the user to have access to. It also overrides methods such as console and fetch.
The solution is simple but elegant. All we are doing is restricting the users global context, executing the code in a worker (which already is a sandboxed environment by itself), and returning the result of the evaluated code.
SafeJS contains no dependencies, and relies on nothing but default browser APIs to work.
SafeJS allows us to run user code in their browser, providing the snappiest experience possible, while controlling the execution environment.
SafeJS also provides a controller class, which provides a nice interface for developers to work work with, as well as some nice to have features such as:
Once data is retrieved, you can work with it like any other data source or variable in Decipad. It's a safe approach that provides the flexibility we needed.
We made SafeJS open source so other people might use it, and so our users can see what we do with their code.
If you are interested in exploring Decipad, you can sign-up and join the beta here.
John and the Decipad Team
In today's fast-paced and highly-connected world, seamless collaboration and offline accessibility have become essential features. Decipad, a cutting-edge notebook-like application tailored for quantitative modeling and analysis, uses CRDTs under the hood to provide some essential properties to the product.