Hacker News new | ask | show | jobs
by metadat 457 days ago 

  import requests 
  
  r = requests.get('https://theonion.com')
  
  print(r.text)
Hmm, I wonder if you could use subprocess to fetch and run any binary. What kind of sandbox is this running in, and what are the limits?

Running arbitrary untrusted code seems like a potential security issue.

Edit: @porridgeraisin Got it, thanks! Does this mean outbound http requests only work with domains that support arbitrary requests via `Access-Control-Allow-Origin: *` ?
3 comments
andycloke 457 days ago
Maker here! Runs in an isolated Web Worker using Web Assembly, via Pyodide. Everything runs locally in your browser - no file system or other access. Scheduled run (paid plan) run on AWS lambda.

So, yes, sadly, network requests only work with domains with Access-Control-Allow-Origin: *. I'm looking at adding a backend CORS proxy to fix this.

We also have a Chrome extension with no CORS limitation. The extension lets you right-click Python code snippets on basically any site (Claude, ChatGPT, Deepseek etc.) to run it instantly.

https://chromewebstore.google.com/detail/python-code-runner/...

link
metadat 456 days ago
You might check out https://e2b.dev, they already have a really robust sandbox system with nice SDKs.
link
andycloke 456 days ago
Interesting, thanks
link
hoodchatham 457 days ago
Yes, it has all the normal CORS restrictions. If you're curious, the PR that added support for this is here: https://github.com/urllib3/urllib3/pull/3195
link
porridgeraisin 457 days ago
It runs on pyodide, i.e, a wasm interpreter that runs entirely in your browser.
link