Consider looking into QuickJS (https://bellard.org/quickjs/) instead which has more impressive standards support than Duktape.

Figma has a series of blog posts on sandboxing Javascript in the browser for their plugins API:

https://www.figma.com/blog/how-we-built-the-figma-plugin-sys...

https://www.figma.com/blog/an-update-on-plugin-security/

tl;dr they use QuickJS via WebAssembly at the moment.

I noticed the GitHub repo's been updated to include a QuickJS version.

https://github.com/maple3142/wasm-jseval

What's the benefit of doing it this way vs in a traditional <iframe sandbox="allow-scripts"/> ?

Is this completely secure? I think this point should be addressed as the main selling point if it does.

Nothing is completely secure, if you find a WASM escape you can trigger from JS within Ducktape it wouldn't be secure for example.

But yes, outside of escapes like that, it should be safe to run arbitrary JS via this mechanism.

Intriguing! Opens up some interesting possibilities. User-submitted javascript for manipulating data, without exposing other users to XSS attacks?