When building a browser IDE, you inevitably have to execute code written by the user. Using eval() or new Function() is a catastrophic security vulnerability, as it gives the user's code unrestricted access to the IDE's global window object, DOM, and IndexedDB tokens. The traditional solution is to spin up a Web Worker or an iframe, but these carry a massive 50-100ms initialization overhead and consume significant RAM.
NitroIDE achieves absolute security with zero initialization latency by utilizing the TC39 ShadowRealms API, allowing us to instantiate isolated V8 execution contexts directly within the main thread.
A ShadowRealm creates a brand new global object and a pristine JavaScript execution environment. It shares the same thread as the IDE, meaning execution is instantaneous, but it is strictly cordoned off by a "Callable Boundary." Objects cannot be passed directly into or out of a Realm; only primitives and callable functions can cross the border.
Prototype Pollution Immunity: Because the ShadowRealm has its own intrinsics (its own Array, Object, and String constructors), even if the user's code executes a malicious prototype pollution attack, the main IDE's runtime remains completely uncompromised.
Because ShadowRealms boot in less than 1 millisecond, NitroIDE uses them for hyper-fast, secure micro-executions. When calculating complex TypeScript mapped types or running user-defined ESLint rules, we spawn a temporary Realm, execute the AST traversal safely, and destroy the Realm instantly, ensuring perfect security without the Web Worker tax.
Write dangerous infinite loops and prototype hacks. Our sandbox will never break.
Launch Sandbox