import { WorkerSandbox } from "./worker_sandbox.ts"; import type { SandboxFactory } from "./sandbox.ts"; // Uses Deno's permissions to lock the worker down significantly export function createSandbox(workerUrl: URL): SandboxFactory { return (plug) => new WorkerSandbox(plug, workerUrl, { deno: { permissions: { // Allow network access net: true, // This is required for console logging to work, apparently? env: true, // No talking to native code ffi: false, // No invocation of shell commands run: false, // No read access to the file system read: false, // No write access to the file system write: false, }, }, // Have to do this because the "deno" option is not standard and doesn't typecheck yet }); }