codo

the browser is the sandbox

by

browser sandbox. Paul Kinlan is a web platform developer advocate at Google and has recently focused his attention on coding agents. He immediately recognized the importance of a robust sandbox for agents to operate and put together these detailed notes on how the web browser can help:

This got me thinking about browsers. Over the past 30 years, we’ve built a sandbox specifically designed to run malicious, untrusted code from anywhere on the web as soon as a user taps a URL. […]

Can you build something like Cowork in the browser? Perhaps. To find out, I created a demo called Ko-Do that tests this hypothesis. In this post I want to discuss the research I’ve done to see how far we can get, and determine whether the browser’s ability to run untrusted code is useful (and good enough) for enabling software to do more for us directly on our computers.

Paul then describes how three key aspects of the sandbox – file system, network access, and secure code execution – can be handled by browser technologies: file system access API (still Chrome-only as far as I can tell), CSP headers. And WebAssembly in Web Workers.

Ko-Do has a very interesting demo that shows all these ideas in a single application:

Screenshot of the Co-Do application interface with the robot logo. The left sidebar shows the Workspace section "select Folder" button, "Selected folder: blog-drafts (live updates enabled)" in green text, and lists files including gtr-t5-large.md, Chatgpt.md, llm-digest-october-2..., Weeknotes-2024-04-23..., lmarena-april-2025.md, Weeknotes-chatgpt-fo..., test-not-optional-c..., weeknotes-13-march-202..., issue-for-notes.md, workshop-git-scrapin.... Main chat area shows user messages "Three most recently edited files?" In orange bubbles, "Using 26 tools..." Dropdown, and AI response: "Now I need to get the metadata of these files to find the most recently edited files. Since there are many files, let me get the metadata for a sample of them to find recent files: Based on the metadata I collected, the three most recently edited files are:" The file and the table with the last modified column then show predictions -2026.md (January 8, 2026), December-2025.md (January 2, 2026), gemini-3-flash.md (December 17, 2025). Green "reaction complete" Bottom banner with input field placeholder "Ask me for help with your files..." and pay attention "File contents are sent to your selected AI provider".

You choose a folder full of files and configure an LLM provider and set an API key, Co-Do then uses CSP-approved API calls to interact with that provider and provides a chat interface with tools to interact with those files. It sounds really similar to Cloud Cowork but without running multi-GB local containers to provide a sandbox.

my biggest complaint is This still remains how thinly documented it is, especially across different browsers. Paul’s post has all kinds of useful details that I haven’t found anywhere else, including a complex double-iframe technique to help enforce network rules on the inside of two frames.

Thanks to this post I also came to know about Tags that work on Firefox, Safari And Allows Chrome and the browser to have read-only access to an entire directory of files at once. I had a WebKitDirectory demo created from the cloud to try it out and I will definitely be using it for future projects.

Screenshot of the dark-themed File Explorer application. The top stats bar shows: 12179 total files, 2079 folders, 244 MB total size, 97 file types in cyan text. Search bar with placeholders "Find files..." And "All kinds" drop down. Left panel labeled "file tree" (showing 12179) Displays the folder hierarchy: datasets>.cloud>skills>building-dataset-plugins containing HOOKS.md (10.7 KB, selected/highlighted), INTERNALS.md (10.1 KB), SKILL.md (3.7 KB), TESTING.md (8.4 KB), SETTINGS.local.json (280 B); Also shows .eggs folder with pytest_runner-6.0.1-py3.9.egg. right panel "file preview" Shows selected file details: Name: HOOKS.md, Path: datasets/.cloud/skills/building-dataset-plugins/HOOKS.md, Size: 10.7 KB, Type: text/markdown, Last modified: 12/20/2025, 9:28:59 AM. Preview content shows: "#plugin hook reference" After "All hooks use the @hookimple decorator. Accept only the parameters you need." Then "## Database connection hook" And "### prepare_connection(conn, database, dataset)" with details "Called when a new SQLite connection is created. Use to register custom SQL functions." bottom part "file type distribution" The horizontal bar chart shows: .py (4439), .no ext (3358), .dat (1068), .pyc (925), .txt (332), .mo (321), .po (321), .html (249).” src=”https://static.simonwillison.net/static/2026/webkit-file-tree.jpg”/></p> </div> <p><br /> <br /><a href</p> <div class=

Share this:

Leave a Comment