How to run third party javascript code in compartment in a browser

[bozhidarc]

I'm playing with ses and Compartments and packages/ses/demos/console demo is a great start, but I didn't find something similar for working with external js files.
How to import a third party javascript code which is in a form of ES module but not necessary published in npm.
Let's say in the form of plain javascript file.

[kriskowal]

To load ESM, you’ll need @endo/compartment-mapper. In its current form, it provides importLocation, which is suitable for loading packages laid out in a node_modules tree. It can also build an archive in zip format and read it out later, with makeArchive and importArchive. This may be enough to get you going in the right direction, but to securely load ESM on the web, you will probably need something analogous but not the same.

One option is to use a tool like Browserify, Rollup, or esbuild to compile ESM down to a single script that can run in Compartment().evaluate(script). That works pretty well today.

The compartment mapper is designed to permit the eventual addition of something analogous to import maps on the web. That would look a lot like importArchive, except instead of taking a Zip file, would take a fetch power and the location of the contents of the Zip archive generated by makeArchive (unzipped somewhere on the web). That’s not been written, but would confine guest programs just as well.

We do not yet have a flat file bundle format for confined programs, but that is also a possible future feature of Compartment Mapper. We do have a bundle format based on other Endo infrastructure, on which we bootstrap SES, but it does not itself provide confinement.

Other members of the Endo community, @kumavis and @Jack-Works have explored further into productionizing SES, with various other goals, like mitigating supply chain attacks against their respective platforms. The requirements and solutions are slightly different, but they build on SES too.

[bozhidarc]

Thank you for detailed answer! :)
One more question what if a script is loaded through Compartment().evaluate(script) and this script fetches another script will be the second one compartmentalised, too?
I'll try to simulated, too.

[mhofman]

One more question what if a script is loaded through Compartment().evaluate(script) and this script fetches another script will be the second one compartmentalised, too?

All the evaluators available by default within a compartment are virtualized, yes.

That said, there is no power by default in a lockdown compartment to perform any I/O, including fetch. You'd have to explicitly endow it.

[bozhidarc]

Thank you @mhofman :)