Overview
Paul Kinlan from Google explores using web browsers as sandboxes for AI coding agents, demonstrating that browsers can provide the same security isolation needed for untrusted agent code execution without requiring heavy local containers. He built Co-do, a browser-based demo that mimics Claude Cowork’s functionality.
The Breakdown
- Browser sandbox capabilities - The web browser already contains a 30-year-evolved sandbox designed to safely run hostile, untrusted code from anywhere on the web instantly when users click URLs
- Three-layer security approach - File System Access API handles filesystem operations, CSP headers with iframe sandbox manage network access, and WebAssembly in Web Workers enables safe code execution
- Co-do demonstration - A working browser app that lets you select local file folders, configure LLM providers, and interact with files through a chat interface using CSP-approved API calls
- Double-iframe technique - A complex method for applying network access rules to nested iframes, providing granular control over what the sandboxed code can access
- webkitdirectory file access - The input type=“file” webkitdirectory tag works across Firefox, Safari and Chrome to give browsers read-only access to entire directory structures at once