HN
Today

Datasette Apps: Host custom HTML applications inside Datasette

Simon Willison unveils Datasette Apps, a powerful new plugin enabling secure, self-contained HTML+JavaScript applications directly within Datasette using tightly sandboxed iframes. This extension transforms Datasette from a read-only data explorer into a platform for dynamic, custom interfaces, leveraging secure MessageChannel() communication for SQL interactions. The project also highlights significant AI assistance in its development and app generation, pushing the boundaries of what's possible with data and LLMs.

8
Score
1
Comments
#1
Highest Rank
17h
on Front Page
First Seen
Jun 19, 1:00 AM
Last Seen
Jun 19, 5:00 PM
Rank Over Time
13471081110141515141922242228

The Lowdown

Datasette, known for serving read-only data, has evolved with the introduction of Datasette Apps, a new plugin designed to host custom HTML and JavaScript applications directly within its environment. This development aims to bridge the gap between data exploration and custom application development, offering a secure and flexible way to interact with data.

  • Datasette Apps run as self-contained HTML+JavaScript applications within tightly constrained <iframe> sandboxes.
  • These sandboxed environments enforce strict Content Security Policies (CSPs) to prevent external HTTP requests and exfiltration of private data, based on extensive security research and AI-assisted testing.
  • Apps can execute read-only SQL queries against Datasette databases, and for write operations, they utilize allow-listed "stored queries" for enhanced security.
  • Secure communication between the iframe and the parent Datasette application is facilitated using postMessage() and, more robustly, MessageChannel(), ensuring command execution only from trusted sources.
  • The system provides visible logging for SQL queries and errors, aiding in the development and debugging of custom applications.
  • A notable feature is the integration with AI, allowing users to generate new apps or modify existing ones by providing a prompt and database schema to LLMs like ChatGPT or Claude.
  • The development of Datasette Apps itself heavily relied on AI assistance, with various models (Claude Opus, GPT-5.5, Claude Fable 5) contributing to prototyping, planning, and even security evaluations, which identified and rectified a critical vulnerability related to CSP allow-listing permissions. This release signifies Datasette's expansion beyond simple data publication, enabling the creation of rich, interactive applications that unlock deeper insights and utility from collected data. The emphasis on robust security, flexible data interaction, and AI-driven development positions Datasette Apps as a compelling solution for building custom data interfaces.