Learning about running untrusted JS:
- can't expose your other JS so use VM2
- but VM2 will probably leak and doesn't protect against while(true) so run in a container
- but then you read containers can't be trusted! Kernel exploits galore! For real security use full virtualization
- But KVM might have bugs too! The real way to go is bare metal.
- You're gonna airgap that, right?