Siubaak
commented
4 years ago Sval isn't a safe choice.
Of course you can disable certain global APIs by just overwriting it using import, for example, interpreter.import('localStorage', false).
However, external scripts can hack the prototype chain to "steal" the original one from host environment. It's nearly impossible to protest the prototype chain and also Sval has no protections on original prototype at all.
I need to run some external code on my app. I'm mostly concerned that this external code can access localstorage and cookies. Can the interpreter do that? Is there a way to disable certain APIs like localstorage, eval etc? Thank you!