5 Essential Facts About JavaScript's Upcoming ShadowRealm Feature
If you've been following the work at TC39—the committee that evolves JavaScript—you might have heard whispers about a new proposal called ShadowRealms. Yes, the name is as mysterious as it sounds, but it's far more than a quirky label. For years, developers have been told JavaScript is single-threaded. That's true at the language level, but in practice, modern web applications already use multiple threads via Web Workers and iframes. ShadowRealm aims to formalize and simplify this pattern, offering a clean way to run scripts in isolated environments. In this article, we'll break down five crucial things you need to know about ShadowRealm, from what a realm actually is to how this feature could change your code’s security and performance. Let's dive in.
1. What Is a JavaScript Realm?
A realm is the execution context where your JavaScript code runs. Think of a realm as a self-contained universe: it has its own global object (like window in a browser tab), its own set of built-in functions, and its own memory heap. When you open a browser tab, that's one realm. Create a Web Worker? That's a separate realm with its own thread. Even an iframe—whether same-origin or cross-origin—is its own realm. The key insight is that while JavaScript as a language is single-threaded (meaning one function executes at a time within a realm), a single application can span multiple realms, each with its own thread. This distinction helps understand why ShadowRealm is so compelling.
2. The Myth of JavaScript’s Single Thread
It's common to hear “JavaScript is single-threaded” as a fundamental truth. Technically, the language itself doesn't support multi-threading, but that doesn't mean your app can't use multiple threads. Web Workers have allowed parallel execution for years, and iframes let you run scripts in isolated contexts. The phrase “JavaScript is single-threaded” is misleading because it suggests the entire application is limited to one thread. In reality, each realm has its own thread. The main page, a worker, and an iframe each execute independently. ShadowRealm builds on this idea by providing a standardized, secure way to create new realms without the overhead of workers or iframes. It’s a cleaner mental model: think of realms, not threads.
3. How ShadowRealm Differs from Web Workers and Iframes
Web Workers and iframes are existing tools for isolation, but they come with trade-offs. Workers run in a separate thread but lack access to the DOM, making them unsuitable for UI-related tasks. Iframes provide full DOM access but come with styling and security baggage (cross-origin restrictions, additional HTTP requests). ShadowRealm offers a middle ground: it creates a new realm with its own global object, but it doesn't spawn a new thread—it runs synchronously within the calling realm's thread. This makes it ideal for executing untrusted code (like third‑party scripts) or for isolating libraries that might pollute the global scope. Plus, it's lightweight: no separate thread or HTTP request needed. Unlike workers, realms can share the same thread, but they remain completely isolated in terms of variables and prototypes.
4. Security and Isolation: The Crown Jewel of ShadowRealm
One of the biggest pain points for web developers is running code from unknown sources. Whether it's a widget, a user‑generated script, or a legacy plugin, you want to prevent it from tampering with your main application. ShadowRealm provides a secure sandbox: code inside a ShadowRealm cannot access the outer realm's global object, DOM, or internal state unless explicitly passed via a value object. This makes it far safer than an iframe, which can still communicate via postMessage and might leak to the parent. The proposal also includes mechanisms to limit authority—so you can grant only specific capabilities to the inner realm. Think of it as a virtual machine for JavaScript, running inline without the complexity of eval or new Function(). It's a step toward truly safe code delegation.
5. When Can We Use It? Current Status and Browser Support
ShadowRealm is currently a Stage 3 proposal in TC39, meaning the syntax and semantics are mostly finalized, but it's not yet part of the official ECMAScript standard. As of early 2025, no browser ships it natively, though experimental implementations exist in V8 (Chrome) and SpiderMonkey (Firefox) behind flags. Transpilers and polyfills are also being developed, so you can experiment today in Node.js or via Babel. The ecosystem is watching closely, as ShadowRealm could simplify packaging, server‑side rendering, and even micro‑frontends. Expect wide adoption once it reaches Stage 4 and browsers enable it by default, likely within a year or two. Keep an eye on the TC39 repo and try out the polyfill to stay ahead.
Conclusion
ShadowRealm isn't just a new feature—it's a shift in how we think about isolation in JavaScript. By embracing the idea that an application is a collection of realms, we can write more modular, secure, and efficient code. Whether you're building a plugin system, running user‑provided scripts, or just want to prevent accidental globals, ShadowRealm offers a clean solution. While it's still on the horizon, now is the time to understand the concepts and start experimenting. The future of JavaScript is multi‑realm, and ShadowRealm is leading the way.