JavaScript Playground
Run short JavaScript snippets in a time-limited worker inside a unique-origin, network-blocked sandbox.
Privacy: your files never leave your device. All processing happens locally in your browser.
How to use
- 1.Enter a bounded JavaScript snippet that does not require DOM or Node.js APIs.
- 2.Select Run JavaScript to create a fresh isolated worker and sandbox.
- 3.Review console, result, error, or timeout output before changing and rerunning the code.
About JavaScript Playground
JavaScript Playground runs short code snippets locally and shows console messages, returned values, or errors. The editor accepts up to 30,000 characters. Each run creates a new cryptographically random channel token, a unique-origin sandboxed iframe, and a dedicated Web Worker. Results are accepted only when the message source, fixed marker, and current token all match.
User code is JSON-encoded before insertion, and less-than characters are escaped so a string containing a closing script tag cannot break out into iframe markup. The iframe permits scripts but not same-origin access, forms, navigation, popups, or downloads. Its Content Security Policy denies all resources by default, blocks network connections, allows only the inline bootstrap and Blob worker, and disables base URLs and form actions.
Execution happens in the Worker rather than the UI thread. A runaway loop cannot freeze the parent page, and the iframe terminates the worker after 1,500 milliseconds. Every run replaces the prior sandbox. The console captures log and error calls, while the final expression is reported as a result when it can be formatted. Promises are awaited until they settle or the timeout ends the worker.
The worker context has no DOM, document, window, localStorage, cookies, or page session. Network fetches are blocked by CSP. This makes the playground suitable for arrays, strings, objects, algorithms, parsing, arithmetic, and language experiments—not browser UI code. Output formatting uses JSON when possible and falls back to a string; circular or unusual objects may therefore be simplified.
This isolation is a defense boundary, not permission to run unknown or malicious code. Review snippets before execution and never paste passwords, API keys, session tokens, private customer data, or proprietary source into any online editor. The tool stores no projects and does not provide packages, imports, Node.js APIs, TypeScript compilation, debugging breakpoints, or persistent files.
The timeout is a wall-clock guard, not a performance benchmark. Browser scheduling varies, and asynchronous work may be terminated before completion. For production code, use a version-controlled local project with tests, linting, dependency review, and the runtime that will actually execute it.
Methodology & sources
Bound source length, generate a cryptographically random per-run token, JSON-encode code with script-breaking characters escaped, construct a unique-origin allow-scripts iframe with deny-by-default CSP and connect-src none, launch code in a Blob Worker, capture log/error/result messages, validate iframe window plus source marker plus token before accepting output, cap retained entries, and terminate the worker after 1,500 milliseconds or completion.
Frequently asked questions
- Can code access this page or my cookies?
- No. It runs in a Worker inside a unique-origin iframe without same-origin access, and messages require a per-run token.
- Can it use fetch or import packages?
- No. Network connections are blocked and no package runtime is provided.
- What happens to an infinite loop?
- The worker is isolated from the page and is terminated after 1,500 milliseconds.
- Should I paste secrets into the editor?
- No. Never put passwords, tokens, private data, or confidential code into any online playground.
Related tools
- Online HTML EditorEdit HTML and CSS side by side and render a deliberately restricted local preview without running scripts.
- JSON FormatterFormat, minify, and validate JSON in your browser — pretty-print or compress with pinpoint error locations.
- Regex TesterTest JavaScript regex live — see every match, capture group, and named group highlighted as you type.
- ASCII TableLook up every standard 7-bit ASCII code with exact decimal, hexadecimal, octal, and binary values.
- BOM RemoverRemove exactly one leading U+FEFF from pasted decoded text locally while preserving every internal, trailing, or second leading occurrence.
- Chmod CalculatorConvert Unix permission bits between strict octal and complete rwx notation, including setuid, setgid, and sticky states.