alt Hacker News> Figma runs untrusted user plugins in your browser by running them in a QuickJS engine that is compiled to Wasm.
According to the linked blog article, this is not what they are doing, but rather an option they explored. They use JavaScript Realm shims to isolate the execution.
They originally used JS realm polyfill, which is not real JS realm. The polyfill has some security holes. Now they switched to Js interpreter in Wasm.
https://www.figma.com/blog/an-update-on-plugin-security/