Is scripts in sandbox, just like browser did?

[LongTengDao]

I mean the scripts viewed in carlo can not touch node.js api, and can not read/write the local file system (out of the serveFolder), also can not read/write online page cross origin.

If the answer is yes, that means I can use carlo to view things safely, which downloaded from internet (except the boot js file, that's written by my self, see below) without check the source code.

const carlo = require('carlo');
const fs = require('fs');
const { error } = console;

(async () => {

  const app = await carlo.launch();

  app.on('exit', () => process.exit());

  app.serveFolder(download_content_folder);

  app.serveHandler(req => {

    if ( req.url().endsWith('/') ) {

      const path =
        download_content_folder+
        req.url().replace('https://domain', '')+
        'index.html';

      fs.readFile(path, (err, data) => {
        if ( err ) { error(err); req.abort().catch(error); }
        else { req.filfull({ body: data }).catch(error); }
      });

    }
    else { req.continue(); }

  });

  await app.load('index.html');

})().catch(error);

[pavelfeldman]

The pages you load in Carlo will have access to the window.carlo and window.rpc objects. It won't be able to script your node context, but it will be able to make rpc calls on the objects you passed into the window.