JavaScript "Sandboxes" for the web browser.
Latest commit fb9aaea Jan 30, 2015 @TooTallNate Merge pull request #3 from Hypercubed/patch-1
Update Sandbox.js
Failed to load latest commit information.
LICENSE Update README Feb 24, 2011
Sandbox.js Update Sandbox.js Jan 30, 2015
Sandbox.min.js Fix 'setTimeout' (and probably others) on Firefox. Firefox throws an … Apr 9, 2011
build ... Jan 28, 2011
test.js First commit. Probably a lot of cross-browser stuff to resolve. Usabl… Sep 20, 2010


JavaScript "Sandboxes" for the web browser.

This script offers a very simple interface for JavaScript "Sandboxes". Underneath, it uses the magic power of iframes to create new execution scopes for JavaScript to be evaluated inside of.

This could potentially be used as the backbone for browser-side:

  • Isolated scope module loading (CommonJS could implemented on top of this).
  • Client-side HTML templates, with access to certain defined variables.
  • Defining custom JavaScript environments (APIs), then loading external script files that interact with the custom API (abstracting the browser/DOM away).


new Sandbox([bare:Boolean]) -> sandbox

Creates and returns new Sandbox instance. The bare parameter defaults to true, and determines whether or not the sandbox environment should attempt to have all it's extraneous browser/DOM objects removed from the scope. Setting this to false will keep functions like alert, and XMLHttpRequest available for use inside the sandbox. -> Global

The global scope of the sandbox instance. This is a convenient way to share instances of Objects across scopes, or prepare the sandbox environment with properties that scripts can use (like a "require()" function).

sandbox.eval(jsStr:String) -> ?

Calls eval on the given String inside the sandbox. Variables declared inside the sandbox won't be accessible globally, and global variables won't be visible inside the sandbox. The result of the eval is returned.

sandbox.load(filename:String [, callback:function(err) {}])

Loads the JavaScript file filename and executes it into the sandbox. callback is an optional function that gets invoked when the file has finished loading and being evaluated, or an error occurs (like the file was not found).


Synchronously loads the JavaScript file filename and executes it into the sandbox. If there is an error while loading (like the file was not found), then this function will throw. This function is highly discouraged, since synchronous network activity blocks the browser, making it appear to freeze! Also, underneath this function uses XMLHttpRequests, which are restricted by the Same Origin Policy. In other words, this function will ONLY work with files from the SAME DOMAIN.

What Isn't SandboxJS?

  • Sandboxes are NOT seperate threads. All Sandbox instances share the same event-loop that the current page uses. As such, never block indefinitely; something like this WILL freeze your browser:

    (new Sandbox()).eval('while(1) {}');

  • Sandboxes are NOT prisons. Depending on the browser, there may be no way to eliminate access to the global scope. So follow the words of Isaac Schlueter: Prisons are designed to keep dangerous criminals. Sandboxes are for children to not get lost or hurt while playing. There are several ways to break out of the sandbox... DON'T!

Script Caching

The <iframe>s used internally seem to be stricter than the host page in regards to script caching. It is sometimes necessary to add appropriate no-cache headers to the HTTP response from your web server to mitigate this problem.

Testing from a file:// URI doesn't seems to share the same problem (scripts are always reloaded from disk as expected).