-
-
Notifications
You must be signed in to change notification settings - Fork 57
Secure EcmaScript
We are using Secure Ecmascript by Agoric to sandbox plugins, and limit their access to global scope and prototypes. It is not yet completely production ready, but it is built on Realms, which is a standards-track browser API.
The underlying Realms shim is already in use in production at both Salesforce and Figma, building confidence in its approach.
When building with the plugin-starter script, you will occasionally hit errors related to loading your scripts into the SES environment. This is usually caused by one of your dependencies trying to access a global API, or overwriting the prototype of a "primordial" like String or Object, or doing something else clever with the JavaScript environment. Sometimes the only way to fix these issues is to submit changes to those dependencies. Other times you may need to open issues on the SES repo itself.
The good news is that generally these fixes encourage better development practices all around, and increase security of your dependencies, so consider this a moment to ensure your plugin code has the highest possible hygiene.