# Summary of "The Browser is the Sandbox" ## Overview This article by Paul Kinlan explores whether web browsers can serve as effective sandboxes for running AI-powered agentic tools, similar to Anthropic's sandboxed VM approach for Claude. ## Key Concepts ### The Core Idea Browsers have evolved over 30 years to safely run untrusted code from anywhere on the web. This existing security model could potentially be leveraged for AI agent automation tasks that need to access local files. ### Three Areas of Sandboxing Examined 1. **File System Access** - Layer 1: Read-only via `` - Layer 2: Origin-private filesystem (browser-only storage) - Layer 3: Full folder access via File System Access API (chroot-like isolation) 2. **Network Control** - Content Security Policy (CSP) can restrict network requests - Double-iframe technique for additional isolation - Challenges: Can't fully guarantee all network access is blocked (Beacon API, DNS prefetch concerns) 3. **Execution Environment** - JavaScript and WebAssembly runtimes designed for untrusted code - Web Workers provide isolation from the main UI thread - Workers can inherit strict CSP constraints ## Demo Project: Co-do.xyz The author built a proof-of-concept AI-powered file manager demonstrating these principles: - File system isolation via File System Access API - Network lockdown via strict CSP (only AI provider APIs allowed) - LLM output sandboxed in iframes (no scripts allowed) - Custom tools run in isolated Web Workers with WASM ## Known Limitations - Still requires trusting LLM providers with your data - Malicious files could still be created (macros, scripts) - No undo/backup for destructive operations - Cross-browser support varies (primarily a Chrome demo) - Permission fatigue for users ## Conclusion While not perfect, the browser's security model shows promise for running AI agents safely. The author calls for more investment from browser vendors in improving primitives for securely running generated content. --- **SHA-256 Hash of this summary:** `80ff9f1576f909a5bd9988759e0f459c12dc39fc7f4ea7332e9fc833fcf2d03f` UPDATE: I've updated the file a fair bit with images since I made the summary, so the hash may not match the current content.