How WebAssembly + QuickJS Enables a Secure Web Sandbox for Next‑Gen Open Platforms

Background

Web front‑end open technologies have long sought the best solution, evolving from early WebView + API control to current mini‑program container architectures, which still fall short on developer experience and security isolation.

After six months of evolution and business rollout, a self‑developed architecture based on WebAssembly and QuickJS was created to address these challenges.

Goal

The upgrade aims to build a next‑generation PC open technology for the web, based on W3C standards, complementing mini‑programs and widgets, and forming a complete open‑technology ecosystem for e‑commerce.

Considerations

Two core problems of client‑side openness are identified: (1) safely executing external code, and (2) protecting user data with end‑to‑end security.

For code execution, JavaScript runs inside a WebAssembly + QuickJS secure container, providing isolation and controllable execution; CSS isolation is achieved via Shadow DOM and iframes.

Data security relies on browser‑level signing, verification, and encryption (not detailed here).

Technical Details

WebAssembly

Key points: WebAssembly binary code is first turned into unoptimized bytecode by Liftoff, then optimized by TurboFan into machine code; the compilation backend is shared with JavaScript, making the final machine code architecture‑specific and enabling synchronized VM‑host calls.

WebContainer Architecture

The solution adopts an app‑level architecture (multiple pages, routing, communication) with QuickJS as the runtime, handling multi‑page management, authentication, and memory analysis.

Binding Details

External code runs in QuickJS, requiring an API binding that mirrors the browser environment. Host JavaScript defines W3C‑compliant APIs, which are bound to QuickJS memory via WebAssembly; calls are mapped to host implementations and subject to security policies before execution.

Development Model

The WebContainer focuses on improving developer experience without imposing framework constraints, while defining an App Export interface for integration.

Benchmark

Performance tests show that communication efficiency improves by 355× compared to pure mini‑programs, while JavaScript execution speed drops to about 1 % of native V8 due to the security container, which remains acceptable for production.

Business Deployment

In merchant private‑domain scenarios, the solution has been deployed in shop‑decoration forms, receiving positive feedback from ISVs, and will eventually replace existing containers across the platform.

Future

Future work includes extending the WebContainer capabilities to higher‑level open systems, building a plugin ecosystem, reducing startup latency, and enhancing QuickJS debugging features.