I mean, I get what you mean, but this is literally what's already happening. It's distributed via HTTP, and executed in your browser. You can save it (Ctrl-S, still a thing browsers do), and -- since it's distributed in source form -- easily inspect it, or reopen it later, in a different browser on a different computer. A zip file of the same thing is available on the repo (it's a zip of the repo).
If you don't trust that it won't access the web, disable your internet while running it or some such, as with other code you don't trust. If you don't trust it to mess with your files, well, you're in luck because modern browsers are probably the best audited sandbox out there.
I say I get what you mean, because most people won't do any of it. Instead of saving the page and running what they trust or have verified to be a safe snapshot of the page, they'll reopen the hosted version, trusting that it's still safe, even though the page may have been replaced with one that does upload their files.
I mean, I get what you mean, but this is literally what's already happening. It's distributed via HTTP, and executed in your browser. You can save it (Ctrl-S, still a thing browsers do), and -- since it's distributed in source form -- easily inspect it, or reopen it later, in a different browser on a different computer. A zip file of the same thing is available on the repo (it's a zip of the repo).
If you don't trust that it won't access the web, disable your internet while running it or some such, as with other code you don't trust. If you don't trust it to mess with your files, well, you're in luck because modern browsers are probably the best audited sandbox out there.
I say I get what you mean, because most people won't do any of it. Instead of saving the page and running what they trust or have verified to be a safe snapshot of the page, they'll reopen the hosted version, trusting that it's still safe, even though the page may have been replaced with one that does upload their files.