Sandboxing in Cloudflare Workers

[Kenton Varda]

I mentioned in the Cap'n Web thread earlier this week that we had another capabilities-related announcement coming Friday.

Cloudflare Workers now offers an API where a Worker can launch a sandbox and run arbitrary code in it.

https://developers.cloudflare.com/workers/runtime-apis/bindings/worker-loader/

It uses a capability-based permissions model. The `env` object that you specify can contain a certain form of capabilities: "service bindings", which are arbitrary RPC interfaces exported by another worker. When using worker loaders, you normally point these back at the parent worker, which acts as a supervisor, and can proxy on to external resources.

Of course, the RPC system itself is also capability-based. Same semantics as Cap'n Web, but we've actually had a version of this built into our runtime for a long time.

https://blog.cloudflare.com/javascript-native-rpc/

By the way, the Workers platform has all along used a capability-based mechanism for granting Workers access to specific external resources:

https://blog.cloudflare.com/workers-environment-live-object-bindings/

We've seen people increasingly realizing lately that this is the right model for AI agents and AI-generated code. It's so much easier than trying to filter traffic.

Another BTW, the platform also features an actor model where fine-grained actors can run all around the world and get persistent state:

https://developers.cloudflare.com/durable-objects/

-Kenton