alt Hacker NewsThis is generally the purpose of JavaScript execution environments like v8 or jsc (or quickjs although I understand not trusting that as a sandbox to the same degree). They are specifically intended for executing untrusted scripts (eg web browsers). Web assembly’s sandboxing comes from js sandboxing, since it was originally a feature of the same programs for the same reasons. Wrapping one sandbox in another is what I’m surprised by.
Running v8 itself as a sandbox is non-trivial, at least embedded in a Python or Node.js or similar application.
The web is littered with libraries that half do that and then have a note in the README that says "do not rely on this as a secure sandbox".