How WebAssembly + QuickJS Powers a Secure Web Sandbox for Next‑Gen Web Apps

Background: The web side open technology has struggled to balance developer experience and security, with earlier WebView+API control and current mini‑program container approaches failing to fully address these issues.

After six months of evolution, the team built a self‑developed architecture based on WebAssembly and QuickJS to tackle these problems.

Goal

The upgrade aims to create a next‑generation PC open technology for the web, based on W3C standards, complementary to mini‑programs and widgets, forming a complete open‑technology ecosystem for e‑commerce.

Considerations

Two core challenges of client‑side openness are safe execution of external code and protection of user data.

Execution: JavaScript runs inside a WebAssembly + QuickJS sandbox, providing isolation and controllable execution; CSS isolation is achieved with Shadow DOM and iframes.

Data security relies on browser‑level signing and encryption (not detailed here).

Technical Details

WebAssembly

Key points: (1) WebAssembly binary is first turned into unoptimized bytecode by Liftoff, then optimized by TurboFan into machine code. (2) WebAssembly shares the same compilation backend as JavaScript, linking VM and host execution.

WebContainer Architecture

The solution is designed at the app level (multiple pages, routing, communication) with QuickJS as the runtime, handling page management, authentication, memory analysis, etc.

Binding Details

External code runs in QuickJS; the runtime emulates the browser environment. API bindings are defined by the host JavaScript runtime following W3C specs, with WebAssembly memory bound to QuickJS. Calls are mapped to host implementations and subject to security policies.

Development Model

The WebContainer focuses on improving developer experience without imposing framework constraints, defining an App Export interface for integration.

Benchmark

Compared with pure mini‑programs, the WebContainer improves communication efficiency by 355×, while JavaScript execution speed drops to about 1 % of V8, which remains acceptable for production.

Business Deployment

In private‑domain merchant scenarios, the solution has been deployed in shop‑decoration forms, receiving positive ISV feedback, and will eventually replace existing containers across the platform.

Future Work

Future efforts will extend the WebContainer to higher‑level open systems, address plugin ecosystems, reduce startup latency, and enhance QuickJS debugging capabilities.