Hacker News new | ask | show | jobs
by kortilla 274 days ago
None of those security guarantees matter when you take out the sandbox, which is exactly what server-side JS does.

The isolated context is gone and a single instance of code talking to an individual client has access to your entire database. It’s a completely different threat model.
1 comments
galaxyLogic 274 days ago
So maybe the solution would be to sandbox Node.js?

I'm not quite sure what that would mean, but if it solves the problem for browsers, why not for server?

link
simiones 274 days ago
You can't sandbox the code that is supposed to talk to your DB from your DB.

And even on client side, the sandboxing helps isolate any malicious webpage, even ones that are accidentally malicious, from other webpages and from the rest of your machine.

If malicious actors could get gmail.com to run their malicious JS on the client side through this type of supply-chain attack, they could very very easily steal all of your emails. The browser sandbox doesn't offer any protection from 1st party javascript.

link
int_19h 274 days ago
Deno does exactly that.

But in practice, to do useful things server-side you generally need quite a few permissions.

link