Skip to content

JavaScript Playground

Run short JavaScript snippets in a time-limited worker inside a unique-origin, network-blocked sandbox.

Privacy: your files never leave your device. All processing happens locally in your browser.

How to use

  1. 1.Enter a bounded JavaScript snippet that does not require DOM or Node.js APIs.
  2. 2.Select Run JavaScript to create a fresh isolated worker and sandbox.
  3. 3.Review console, result, error, or timeout output before changing and rerunning the code.

About JavaScript Playground

JavaScript Playground runs short code snippets locally and shows console messages, returned values, or errors. The editor accepts up to 30,000 characters. Each run creates a new cryptographically random channel token, a unique-origin sandboxed iframe, and a dedicated Web Worker. Results are accepted only when the message source, fixed marker, and current token all match.

User code is JSON-encoded before insertion, and less-than characters are escaped so a string containing a closing script tag cannot break out into iframe markup. The iframe permits scripts but not same-origin access, forms, navigation, popups, or downloads. Its Content Security Policy denies all resources by default, blocks network connections, allows only the inline bootstrap and Blob worker, and disables base URLs and form actions.

Execution happens in the Worker rather than the UI thread. A runaway loop cannot freeze the parent page, and the iframe terminates the worker after 1,500 milliseconds. Every run replaces the prior sandbox. The console captures log and error calls, while the final expression is reported as a result when it can be formatted. Promises are awaited until they settle or the timeout ends the worker.

The worker context has no DOM, document, window, localStorage, cookies, or page session. Network fetches are blocked by CSP. This makes the playground suitable for arrays, strings, objects, algorithms, parsing, arithmetic, and language experiments—not browser UI code. Output formatting uses JSON when possible and falls back to a string; circular or unusual objects may therefore be simplified.

This isolation is a defense boundary, not permission to run unknown or malicious code. Review snippets before execution and never paste passwords, API keys, session tokens, private customer data, or proprietary source into any online editor. The tool stores no projects and does not provide packages, imports, Node.js APIs, TypeScript compilation, debugging breakpoints, or persistent files.

The timeout is a wall-clock guard, not a performance benchmark. Browser scheduling varies, and asynchronous work may be terminated before completion. For production code, use a version-controlled local project with tests, linting, dependency review, and the runtime that will actually execute it.

Methodology & sources

Bound source length, generate a cryptographically random per-run token, JSON-encode code with script-breaking characters escaped, construct a unique-origin allow-scripts iframe with deny-by-default CSP and connect-src none, launch code in a Blob Worker, capture log/error/result messages, validate iframe window plus source marker plus token before accepting output, cap retained entries, and terminate the worker after 1,500 milliseconds or completion.

Frequently asked questions

Can code access this page or my cookies?
No. It runs in a Worker inside a unique-origin iframe without same-origin access, and messages require a per-run token.
Can it use fetch or import packages?
No. Network connections are blocked and no package runtime is provided.
What happens to an infinite loop?
The worker is isolated from the page and is terminated after 1,500 milliseconds.
Should I paste secrets into the editor?
No. Never put passwords, tokens, private data, or confidential code into any online playground.

Developer Tools guides

View all