Security

This page aims to provide a comprehensive look at the security considerations that were taken when designing this learning resource.

All execution in a Web Worker

All untrusted JavaScript evaluation takes place in a Web Worker. Certain node libraries like fs, http, child_process, etc have "synthetic implementations" which provide deep introspection and helpful user interfaces to display how these libraries operate.

Users cannot share files

The threat vector presented by running truly unsafe files from arbitrary user input (e.g. allowing users to share code snippets with each other) is eliminated by not allowing arbitrary user input.

What tracking information is being collected?

When the site first loads in the browser, the value of navigator.doNotTrack || window.doNotTrack || navigator.msDoNotTrack is evaluated. If the user has enabled Do Not Track, no tracking information is collected. If tracking is disabled, there is no effect on the application in terms of feature availability or performance.

If the user has not opted out of tracking, an asynchronous call to FingerprintJS creates a unique fingerprint for the browser client. If this call fails (e.g. if the site is being run locally with limited Internet access), the site will function equivalent to an explicit tracking opt-out. Otherwise, any tracking events are tied to this unique browser fingerprint.

Was this page helpful?