Skip to main content
DevBench
All articles
devtoolspythonjavascriptsecurity

Browser code playgrounds: what runs where (and what never leaves your tab)

May 8, 20266 min read

Not every "Run" button means the same thing. Some playgrounds execute entirely in your browser tab; others forward source to a remote compiler farm. The difference matters the moment you paste an API key, a JWT from production, or proprietary business logic.

Three execution patterns you should recognise

  1. Sandboxed JavaScript in an iframe. User code runs in an isolated browsing context with no direct access to your cookies or DevBench DOM. Console output is bridged back to the parent page. There is still a trust boundary: malicious code could try CPU-heavy loops or annoy you — but it cannot open arbitrary network sockets from classic sandbox rules.
  2. WebAssembly interpreters (Pyodide). CPython and wheels are shipped to the client and run locally. First load can be large, but after that your Python source stays in-memory in the tab unless you explicitly fetch data. Stdin can be simulated line-by-line from a text area — useful for teaching and quick scripts.
  3. Remote compile or run APIs.Some languages proxy to an official or vendor-hosted service (for example the Go Playground). Your source crosses the network under that provider's policy. Read their terms before shipping internal code.

Stdin and "feels like a terminal"

Browser playgrounds cannot give you a real TTY. They approximate stdin with buffered lines or shims around small subsets of Node APIs. That is enough for exercises and many algorithms, but not for interactive ncurses apps or programs that expect binary stdin. When behaviour diverges, run the same snippet locally with your real toolchain.

Practical rules

  • Treat every hosted editor as public unless you have verified end-to-end where bytes go.
  • Use browser-first tools for shape checks and learning; use locked-down CI or laptops for secrets.
  • Open DevTools → Network once per product so you know which requests fire on Run.

DevBench's code playground keeps JS/TS and Pyodide paths in the tab and documents Go's remote compile path in-page — match the tool to your threat model, then get back to shipping.

Try it yourself

Use the free browser-based Code playground on DevBench — no signup, runs entirely in your browser.

Open Code playground

More articles

How Base64 encoding works — and when NOT to use it

Base64 turns binary into printable ASCII — useful for email, JSON, and data URIs. Here is how the encoding actually works, why it inflates size by ~33%, and the dangerous cases where people mistake it for encryption.

JWT security best practices — 10 things developers get wrong

JWTs are convenient, but misuse is everywhere: treating payloads as secret, skipping audience checks, weak HMAC keys, and storing tokens where XSS can read them. Here are ten concrete mistakes and what to do instead.

YAML vs JSON — key differences with real examples

JSON is strict and universal; YAML is human-friendly and dangerously powerful. Compare syntax, types, anchors, comments, and multi-document streams — with copy-paste examples you can run through a formatter.

View all articles