Simon Willison's Weblog: Research

TRE Python binding — ReDoS robustness demo

2026-05-04T17:52:00+00:00

TRE Python binding — ReDoS robustness demo

Demonstrating robust regex performance, this project offers a minimal Python ctypes binding to the TRE regex library, highlighting TRE’s immunity to regular expression denial-of-service (ReDoS) attacks that cripple Python's built-in `re` module. Key benchmarks show that TRE processes even notorious "evil" patterns on gigantic inputs (10 million characters) much faster than `re` on tiny ones, and scales linearly with input size instead of exponentially.

Claude system prompts as a git timeline

2026-04-18T12:17:00+00:00

Claude system prompts as a git timeline

Anthropic's published system prompt history for Claude is transformed into a git-based exploration tool, breaking up the monolithic markdown source into granular files and timestamped commits. By structuring extracted prompts per model, family, and revision, researchers can leverage `git log`, `diff`, and `blame` to trace prompt evolution, compare differences, and attribute changes to specific dates—all without manual parsing.

Exploring the new `servo` crate

2026-04-13T15:04:00+00:00

Exploring the new `servo` crate

After the April 2026 release of the `servo` v0.1.0 crate (blog post), a concise investigation shows that Servo is now an embeddable browser engine for Rust, with a clear API centered on the `ServoBuilder`, `WebView`, and pixel readback methods. A headless CLI (`servo-shot`) successfully renders URLs or HTML files to PNG, building against stable Rust with a robust software-based rendering pipeline.

QuickJS Python Sandbox — Investigation Report

2026-04-12T23:15:00+00:00

QuickJS Python Sandbox — Investigation Report

Exploring the `quickjs` Python package, this project implements an asyncio-compatible JavaScript sandbox with robust resource controls and seamless exposure of both synchronous and asynchronous Python functions (including async httpx fetches) to JavaScript code.

SQLite WAL Mode Across Docker Containers Sharing a Volume

2026-04-07T15:41:00+00:00

SQLite WAL Mode Across Docker Containers Sharing a Volume

SQLite’s WAL mode reliably supports concurrent access when two Docker containers share a volume on the same host, due to shared kernel and filesystem semantics. The experiment, using Docker Desktop for macOS and a named volume, demonstrated real-time propagation of database changes and effective memory-mapped file sharing by monitoring `.db-shm`.

Can JavaScript Escape a CSP Meta Tag Inside an Iframe?

2026-04-03T16:05:00+00:00

Can JavaScript Escape a CSP Meta Tag Inside an Iframe?

JavaScript running inside a `sandbox="allow-scripts"` iframe cannot escape or disable a `` tag, even through removal, modification, or document replacement. Extensive testing across Chromium and Firefox confirmed that CSP policies defined via meta tags are enforced at parse time, and persist even when the iframe is navigated to a data: URI.

Starlette 1.0 skill

2026-03-23T00:05:00+00:00

Starlette 1.0 skill

Starlette 1.0 Skill offers a concise guide for building robust web applications with Starlette, a lightweight ASGI framework. The accompanying demo showcases a task management app featuring projects, tasks, comments, and labels, illustrating Starlette's flexibility in handling routing, templating (Jinja2), async database operations (aiosqlite), and real-time updates.

PCGamer Article Performance Audit

2026-03-22T22:49:00+00:00

PCGamer Article Performance Audit

A performance audit of the March 2026 PCGamer article on RSS readers reveals severe page bloat, with over 82% of network traffic and transferred bytes traced to ad-tech, tracking, and programmatic advertising scripts. Despite the core content consisting of just 10-15 KB of text and a handful of images (~150 KB total), the page triggers over 431 network requests and 5.5 MB of transfer (18.8 MB decoded) within 60 seconds—ballooning to 200+ MB in Firefox due to autoplay video carousels and…

JavaScript Sandboxing Research

2026-03-22T19:53:00+00:00

JavaScript Sandboxing Research

Analyzing current JavaScript sandboxing options for running untrusted code, this research compares core approaches in Node.js (including worker_threads, node:vm, and the Permission Model), prominent npm packages (isolated-vm, vm2), and alternative engines like quickjs-emscripten.

SQLite Tags Benchmark: Comparing 5 Tagging Strategies

2026-03-20T02:57:00+00:00

SQLite Tags Benchmark: Comparing 5 Tagging Strategies

Benchmarking five tagging strategies in SQLite reveals clear trade-offs between query speed, storage, and implementation complexity for workflows involving tags (100,000 rows, 100 tags, average 6.5 tags/row). Indexed approaches—materialized lookup tables on JSON and classic many-to-many tables—easily outperform others, handling single-tag queries in under 1.5 milliseconds, while raw JSON and LIKE-based solutions are much slower.

PDF to Image Converter

2026-03-19T21:06:00+00:00

PDF to Image Converter

Leveraging Rust's `pdfium-render` crate and Python's PyO3 bindings, this project enables fast and reliable conversion of PDF pages to JPEG images, packaged as a self-contained Python wheel. The CLI tool and Python library are both built to require no external dependencies, bundling the necessary PDFium binary for ease of installation and cross-platform compatibility.

REXC (rx) JSON Test Suite

2026-03-19T06:26:00+00:00

REXC (rx) JSON Test Suite

REXC (rx) JSON Test Suite provides a comprehensive, language-agnostic test resource for validating implementations of the REXC encoder/decoder. It includes a single JSON file with 206 tests covering base64 encoding, zigzag integer transformations, value conversions, roundtrip integrity, and special numeric values, ensuring correctness across platforms.

syntaqlite Python Extension in WebAssembly

2026-03-17T16:51:00+00:00

syntaqlite Python Extension in WebAssembly

syntaqlite-python-extension is a Python C extension module that integrates the syntaqlite Rust/C SQL toolkit, making high-fidelity SQL parsing, formatting, validation, and tokenization available to Python and Pyodide environments. It wraps syntaqlite's native FFI for both desktop and web, linking against static libraries produced by Rust and employing Emscripten for WASM builds.

CSRF Protection Demo: Modern Browser-Based Defenses

2026-03-14T04:34:00+00:00

CSRF Protection Demo: Modern Browser-Based Defenses

Modern browser security now enables robust Cross-Site Request Forgery (CSRF) prevention without requiring tokens. This demo project contrasts a vulnerable FastAPI bank app with a protected version, showcasing how browser-sent headers like `Sec-Fetch-Site` and `Origin` empower servers to automatically reject cross-origin POST requests.

v86 exploration

2026-03-10T15:55:00+00:00

v86 exploration

Exploring the v86 Linux Emulator (see v86 Linux Emulator tool), this project evaluates a browser-based Buildroot 2024.05.2 x86 environment with a constrained 39 MB RAM, featuring BusyBox utilities, Lua 5.4.6 scripting, and core text-processing tools. Although it boasts comprehensive shell utilities, file management tools, and basic network utilities (curl, wget, links), actual internet access is unavailable due to the lack of a configured network relay.