How I built secure plugin system on the web

Last year, as part of my Google Summer of Code project, I worked on developing a plugin system for a web-based application, MIT App Inventor 2. In this talk, I will share my journey of designing a secure, sandboxed environment for executing untrusted code on the web. I will discuss the key challenges I encountered, the security implications of running untrusted code, the various approaches I explored including iframes, a JS engine compiled to web assembly, and web workers, and how I settled on the final solution.

• What is MIT App Inventor?
• What are plugins?
• Need for enhancing App Inventor's existing extension system.
• What makes building a plugin system on the web so hard?
• Various ways that I researched during GSoC for untrusted code execution, including iframes, a JS engine compiled to web assembly, and web workers.
• Why I decided to go with the final solution?