[adamscybot]

The web needs APIs that enables certain blocks of codes to run under specific permission constraints. Such constraints might include ability to read/write to DOM; window.alert; redirecting (well I guess CSP covers that one) etc. At least let us mitigate it.

[easrng]

This already exists: iframe sandboxes and content security policies. All we need now is a library that allows you to easily load, run, and interact with code in a sandboxed frame, using something like Comlink to make it feel as if it's all running in the same environment.

[adamscybot]

I know about CSP and iFrames, but I think they aren't ergonomic enough to be used as mechanisms to restrict deps right?

Iframes need a full web context whilst CSP cant target individual code blocks. For example, I might want my code to be able to do alerts, but I dont want dependency x to be able to.

EDIT: Ah I think thats what you meant by your "code in a sandboxed iframe thing". Fair.