How ShadowRealm Can Safely Isolate Untrusted JavaScript in Your Web Apps

Developers often need to integrate code from various sources—third‑party ads, analytics scripts, user plugins, or dynamically loaded modules—introducing significant security risks.

Traditional approaches such as iframe, Web Workers, or eval each have drawbacks: iframe is heavyweight with complex communication, Web Workers are asynchronous and unsuitable for synchronous execution, and eval offers no isolation.

What Is ShadowRealm?

ShadowRealm is a forthcoming ECMAScript proposal that lets developers create a brand‑new, isolated JavaScript global environment . It can be thought of as a lightweight, pure‑JavaScript iframe without DOM or rendering overhead, providing controlled synchronous communication.

Each ShadowRealm instance has its own globalThis and a full set of built‑in objects (e.g., Object, Array, Promise). Code running inside cannot access the page’s window or document, achieving strong security isolation.

Core Concepts and API Usage

The API is intentionally minimal.

Creating a Realm : const realm = new ShadowRealm(); Evaluating Code :

Use the evaluate() method to run a JavaScript string inside the realm. It returns a Promise that resolves to the execution result.

Note : Code evaluated inside cannot reach any variables from the outer scope.

Importing Functions :

The importValue() method lets you import a function defined inside the realm so you can call it from the outer environment.

// `greet` is defined in the evaluate call above
const wrappedGreet = await realm.importValue('greet');
// Call the wrapped function
const message = await wrappedGreet('World');
console.log(message); // → "Hello from the Realm, World!"

As of now, the ShadowRealm API is at TC39 Stage 3 , meaning the design is stable and awaiting broad browser implementation and final approval.