> We now use QuickJS, a JavaScript VM written in C and cross-compiled to WebAssembly. This was our backup plan in case the Realms shim approach didn't work out. We were able to activate our backup plan very quickly thanks to a swappable architecture.
I had high hopes for Figma for their sensible security choices before this blog post. But reading that they are using QuickJS even when it is unstable and they have cross-compiled to WASM doesn't improve the security prospects. Sandbox escapes are still a thing in JS VM and the WASM VM these days and using it alone still won't solve these issues. Lite-mode V8 might have made more sense to embed.
Having a plugin system and avoiding malicious code-execution was always going to be a tricky situation, especially on the web. Some form of isolation must exist between the VM and the code that disallows this better than a sandbox. As for choosing JS engines, I don't think choosing QuickJS was a sensible choice in terms of security.
I had high hopes for Figma for their sensible security choices before this blog post. But reading that they are using QuickJS even when it is unstable and they have cross-compiled to WASM doesn't improve the security prospects. Sandbox escapes are still a thing in JS VM and the WASM VM these days and using it alone still won't solve these issues. Lite-mode V8 might have made more sense to embed.
Having a plugin system and avoiding malicious code-execution was always going to be a tricky situation, especially on the web. Some form of isolation must exist between the VM and the code that disallows this better than a sandbox. As for choosing JS engines, I don't think choosing QuickJS was a sensible choice in terms of security.