Hi all!
I’d appreciate any feedback on the idea below.
Wouldn’t it be cool to be able to run computations inside a forum like this? I believe it becomes both possible and reasonably straightforward with existing tools. Consider:
- Through theme components, discourse allows to execute essentially arbitrary client-side JS (there is e.g. a mermaid theme compoment for rendering mermaid).
- Thebe-core and jupyterlite allow to run client-side computations in the browser.
- With a theme compoment installed and configured, the client can then generate the outputs when the user is editing the post (e.g. when rendering a preview), and then send them to the server, for example as a modified source.
Does this sound reasonable and useful?
1 Like
An exciting idea, to be sure.
A site owner needs to be very careful with serving jupyterlite (or anything, really, but especially an arbitrary-code-execution-as-a-service) in the same browser scope as an authenticated/authorized host application, especially if other-user-generated content is possible.
A semi-sane way to do this is to apply some defense-in-depth techniques:
- (ironically) host jupyterlite on a separate
https domain (can’t be another port)
- disable as many things as possible
- use all possible means to isolate it (e.g. tight
<iframe sandbox>)
- provide only a very limited, intentional, uni-directional
postMessage bus (host → lite) with a well-defined API to inject content in a predictable fashion
The other thing is that lite is… big. It’s possible to cut it down, with loss of features, with a custom index.js app, (not ship mermaid, any of the ajv schema stuff, etc. to the browser) but even with just a js kernel, it’s still going to be a pretty heavy experience for an already rather heavy site (no shade on discourse). Putting pretty much any other kernel in the loop would incur an order of magnitude more assets.
3 Likes