Settings

Theme

Datasette Apps: Host custom HTML applications inside Datasette

simonwillison.net

156 points by lumpa 16 days ago · 75 comments

Reader

fsuts 15 days ago

To save anyone else wondering what is Datasette a search:

“Datasette is a tool for exploring and publishing data. It helps people take data of any shape, analyze and explore it, and publish it as an interactive website and accompanying API.

Datasette is aimed at data journalists, museum curators, archivists, local governments, scientists, researchers and anyone else who has data that they wish to share with the world. It is part of a wider ecosystem of 44 tools and 154 plugins dedicated to making working with structured data as productive as possible.”

anitil 15 days ago

When I've needed something like this in the past I've spun up simple HTML pages and used the json endpoint that all datasette instances come with [0]. I like this new pattern much better, as it keeps your app and data in one place (I remember having some issue with this at the time, though I can't remember what the actual issue was)

So I imagine we could now load some data in to sqlite, design some HTML also loaded in to the db, and deploy. Although looking at the source, it seems like stored apps are expected to be managed by the plugin itself, but I'm sure there's a way around that

[0] Eg from one of the examples - https://datasette.io/legislators/-/query.json?sql=select+*+f... . If you strip the '.json' you get the html view. For what it's worth there's also a '.csv' version.

lmeyerov 15 days ago

Multiple projects are coming to the same point it seems. Motherduck has been marketing "dives" since the beginning of the year (https://motherduck.com/blog/duck-dive-and-answer/) and in the Louie.ai team, we have been iterating on different patterns for similar needs. I'm getting the feeling that the answer to SaaS apps as fixed UIs over databases being dead because of coding agents means just the fixed dashboard pattern is dead, not SaaS, and BYO UI is part of the new table stakes.

I'm curious where the pattern will go. My sense is there is a split between cathedrals vs bazaar for approach here, where cathedrals are quite rigid app builders, think framer/wix, while bazaars focus a layer below for more flexibility but less integrated.

  • rileyphone 15 days ago

    Absolutely, plus if you control the coding agent you can enforce certain guarantees and have it wrap your services with a custom sdk. I've been exploring this pattern in a couple of different domains where it's just a vite react app wrapped in an iframe with a JWT bridge giving auth, hosted on a separate domain.

  • skeeter2020 15 days ago

    At the enterprise level this feels a lot like Snowflake buying StreamLit to try and have a similar experience, and keep you in the Snowflake ecosystem burning credits.

jacobgold 15 days ago

It is pretty cool that we have browser features like this to rely on.

I remember writing code in the bad old days to parse HTML tags and allowlist specific attributes. Now browsers have a much better solution baked in.

But it still makes me a bit nervous. Seems like a very small bug could sneak in. This is a good example of where I would reach for Fable to double check the implementation and have a lot of extra tests.

(nit: would be nice if the chat box treated Enter and Shift+Enter the way these other companies have trained my brain, but maybe that is a deliberate choice.)

  • simonw 15 days ago

    In the three short days we had access to Fable I did have it run a review, and it spotted an issue for me to fix.

    Thankfully GPT-5.5 is really strong on security stuff too. I wouldn't have dared build this without a whole lot of Opus/GPT-assisted prototyping and testing along the way.

euroderf 15 days ago

I never understood why someone hasn't made a framework that makes it stupidly easy to fill an HTML page with SQLite database tables, with all the usual display controls, and with as much "liveness" as desired, and with a protocol (over HTTPS) to manage comms to a server-side instance. SQLite is robust, lightweight, bulletproof - a WASM build belongs on ALL the webpages !

  • joren- 15 days ago

    As mentioned below I have been building the 'read' side of this: a data publication platform. I wanted to avoid any server side components. The communication / write part and updating the server-side sqlite database would need running components on the server which I wanted to avoid.

    The 'write' part would technically be very doable and not that different from other back-ends.

    https://github.com/GhentCDH/Pihka

  • mstipetic 15 days ago

    Did you have a look at https://evidence.dev

  • iLoveOncall 15 days ago

    Because it's pretty much worthless.

    You almost never need just a basic list of all the data in your table, even if you're able to filter and sort it. There's no moat there at all. People need serious BI tools, and that throws simplicity out of the window (PowerBI, QuickSight, etc.).

    • mpeg 15 days ago

      I disagree, a lot of the time people buy "serious BI tools" precisely because they think they need all that power and complexity.

      In reality, what most people need is much simpler, a mini app with some curated datasets and simple filters, maybe some AI querying if we want to get fancy. There's some companies out there that work with big data, but for the rest of us small data is ok.

      • simonw 15 days ago

        I think of Datasette as a "small data" platform, where small data is anything that would fit on my phone.

        My phone has 1TB of storage.

        • mpeg 15 days ago

          I've used that with companies I consult for, everyone thinks they should do what Google does, so sometimes I'll drop them the "your whole company data fits in my phone/laptop" line to make them understand the (lack of) scale

      • uberex 15 days ago

        duckdb -ui

  • dsego 15 days ago

    Something like sync engines? I think there are a bunch nowadays.

    https://syntax.fm/show/924/sync-engines-and-local-data

  • potatoman22 15 days ago

    It's not specific to SQLlite per se, but that's what most dashboard builders are

  • uberex 15 days ago

    Like MS Access on web?

20after4 14 days ago

From TFA:

> a Datasette-style backend to a self-contained HTML frontend is an astonishingly powerful combination.

1000% agree. And datasette is a terrific framework to build any kind of data exploration or visualization on.

This sounds like an awesome feature and a good excuse for me to dive back into playing with Datasette.

joren- 15 days ago

Looks like a good addition to the datasette ecosystem. I have been working on a similar idea with cusom html around sqlite databases. By default a faceted search interface is generated but by reusing the client side data layer, custom apps are made easy.

The design keeps data and presentation together and even maps do not rely on external services.

I have called it Pihka: https://ghentcdh.github.io/Pihka/ https://github.com/GhentCDH/Pihka

pietz 15 days ago

Hey Simon,

although I'm coming from a different starting point, it seems like some of our thoughts have aligned. I'm building https://caipi.ai/ as a workspace for agents to build simple data driven apps. The agent edits through MCP and the user gets an interactive app in the browser.

If you're interested picking each others brains around this topic, I'd be psyched to have a chat. gh:pietz.

est 15 days ago

I didn't quite get the CSP part. Why use and srcdoc and <meta http-equiv="Content-Security-Policy"> instead of a real server header? Static hosting?

  • simonw 15 days ago

    If you host iframe apps at a fixed URL like:

      /-/apps/iframe-content/timeline.html
    
    You can protect it with CSP headers, but you can't also protect it with the sandbox="" attribute (should a user visit it directly)

    If you want both sandbox= restrictions and CSP headers at the same time the only way I've found that works cross all major borders is the iframe plus srcdoc="" with injected CSP meta headers patterns.

    Note that a lot of sandbox implementations serve their iframe content from a separate domain, to ensure cookies and localStorage and other same origin things are robustly protected.

    I can't do that easily for Datasette because it's open source software that people can run on their own laptops, so I didn't want to block people on "now register a domain/subdomain and set this up in DNS".

    • cxr 15 days ago

      CSP is optional and designed to be one part of a defense-in-depth strategy (to extent that it was thoughtfully designed at all—it's an awful standard that should not have made it past proposal stage). It's not a solution for sandboxing untrusted content and should not be relied upon that way. Treating it like one is a great demonstration of how some uses of CSP make people more vulnerable.

      • simonw 15 days ago

        Right, which is why I'm combining it with <iframe sandbox=""> - which really is designed to be used as a sandbox (if you can figure out the right way to implement it.)

        • cxr 14 days ago

          > <iframe sandbox=""> - which really is designed to be used as a sandbox

          Not for untrusted content living on the same origin to prevent it from exercising any of the powers that it would ordinarily have to be able to access sensitive data. It's a misleading name and shouldn't have been chosen. There is no combination of CSP or the iframe sandbox attribute that can be relied upon for that purpose. This is a fundamental limitation of the way the specs were written.

          (There needs to be a big warning about this on MDN, but moving from the old wiki to a wiki with GitHub for login to the GitHub-based pull request process really didn't help the there's-a-problem-on-this-page-but-limited-resources-to-make-things-better problem.)

          • simonw 14 days ago

            That's why I'm careful not to include allow-same-origin in the sandbox attribute - without that the iframe content is treated as a separate origin from the parent.

            And I serve the content in srcdoc= to ensure there's no URL a user can visit which would directly execute the content outside of that iframe sandbox.

            • cxr 13 days ago

              > That's why I'm careful not to include allow-same-origin in the sandbox attribute

              It doesn't matter. I just said there is no combination of CSP or the iframe sandbox attribute that can be relied upon here.

              • simonw 13 days ago

                If that's true then my project is fatally flawed and I need to stop distributing it.

                I'm not convinced it's true - I've been thinking about this for months, and building experimental prototypes to help me get to the combination that I think makes sense.

                Can you describe an exploit that the combination I'm using of iframe sandbox= srcdoc= with an injected meta CSP tag doesn't handle?

                Would moving the untrusted content to be served from a separate domain entirely close the hole?

                (In case it's not clear the iframe sandbox= is the bit that's doing most of the work here - the CSP stuff is there mainly to protect against malicious apps that deliberately exfiltrate stolen private data.)

                • cxr 13 days ago

                  > Would moving the untrusted content to be served from a separate domain entirely close the hole?

                  Yes.

AIcanbiteme 14 days ago

How does this work, does some mechanism replace the actual tape drive in the Datasette? Can you just use the tape port with the gadget or does it somehow need the tape drive? How do you access the HTML applications, how is the translation to PETSCII handled?

I have no idea how this could work but as a long time Commodore 64 fan I'm interested. The link won't load for me, sadly. Can somebody give me a quick rundown on how I can host HTML apps inside my Commodore Datasette tape drive?

tuo-lei 15 days ago

nice pattern with the stored queries for writes. but who defines them? if the app author can create their own stored queries, the write restriction is basically honor system.

Terretta 15 days ago

A compliment and a curiosity:

1. Love the addition. Everything becoming its own self-serve artifact factory is great. Malleable software's been a dream a long time, it's supposed to be soft and this concept helps get it there.

2. Since Claude goes on and on about surface, now everyone is using it. Or was everyone using it already?

FTA: “I quickly realised that the sandboxed pattern is interesting for way more than just adding custom apps to the interface surface and promoted it to its own top-level concept within the Datasette ecosystem.”

For decades that sentence would have parsed without the word surface in it. What does it mean that's suddenly so – um – load-bearing?

  • simonw 15 days ago

    Huh... not sure how that got in there, I wrote this without LLM assistance (aside from a proof reading run, but I do that in Claude so it doesn't have the ability to edit my own text).

    It's quite possible I've been subconsciously influenced into thinking in terms of "surfaces" though!

    I just edited that to this, which is a bit cleaner:

    > I quickly realised that the sandboxed pattern is interesting for way more than just adding custom apps in a chat interface and promoted it to its own top-level concept within the Datasette ecosystem.

sumitkumar 15 days ago

I just went through the github project repository.

It has 119 repositories.

Is this how AI slop looks like in code? Made for the agents, by the agents? Is this separation of concerns or context management with agents as a first class residents and humans merely acting as custodians?

xgulfie 15 days ago

Why people feel the need to overload terms like "datasette" I'll never know

  • tadfisher 15 days ago

    I think the current meaning has quite successfully replaced the original usage. Unless you typed this on a Commodore VIC-20, I suppose.

    • voidUpdate 15 days ago

      For you maybe, but I've never heard of this site, my only reference for "datasette" is the commodore 1560

      • alnwlsn 15 days ago

        Me too, and also I've never used one and it was discontinued before I was born

  • simonw 15 days ago

    I learned to program on a C64 and one of the first programs I wrote myself was an incredible basic "database" (really just a program that could store and then return simple fielded data.)

    I named my database management software Datasette as an homage to the C64. I also figured it would be a unique name that would be easy to search for...

    ... jokes on me, it turns out the retro computing C64 community is way more active than I expected and there are still plenty of people taking about Datasette tape drives online, 30+ years after they stopped being manufactured and sold.

  • DANmode 15 days ago

    I can’t even parse what you’re complaining about. Could you elaborate?

CurryFurry 15 days ago

Why would / could i host data this large on a tape? Or did someone mis-use and re-label its meaning? Maybe for some tech hipster product?

hankbond 15 days ago

Wow this is very similar to the direction im taking with my new project https://github.com/hank-bond/uix (warning the code base is certainly not messy but the application is barely usable for anything as of this post).

Here the goal is to be a self-assembling harness (akin to pi) but focusing on duplex human-agent interactivity over rendered HTML "apps". To start, it's focused more on the "please review this PR and then generate a one-page report" with the ability to write comments in the actual report that automatically get sent back to the agent. The end goal is closer to offering a substrate for less technical people to be able to build personal applications like

- an interactive wiki maintainer: chat with the agent about an article, pull out sections, append/create concepts in the wiki with the new info - agent code harness: agent tabs to the left, chat in middle, code diffs on the right (like the superset/commander class of apps)

Anyway, I'm really into the "self assembling" class of software where everything is basically just an SDK + Agent. I think we might actually be ushering in a new era of "personal computing" in that it's less friction than ever to personalize your setup to your whims. Anyway, thats the goal I'm reaching for.

It seems many others are coalescing on this idea at the same time, so it must just be in the aether.

  • ai_fry_ur_brain 15 days ago

    People that overuse LLMs I notice all build the same things and have the same ideas. Its one of the many reasons I avoid them, it kinda leads people into this average group where creativity is dead and there's a kinda hive mind controlling them.

    Ive witnessed it many times now, im positive this phenomenon exists.

    • pietz 15 days ago

      Or, your know, people who are exploring the limit of current tools come across the lack of certain solutions and start building them.

    • hankbond 15 days ago

      People also build the same things if they have the same needs. That doesn't mean creativity is dead. My life as a software engineer is not that unique of others. This isn't really something to lament. There's nothing wrong with exploring similar ideas.

Keyboard Shortcuts

j
Next item
k
Previous item
o / Enter
Open selected item
?
Show this help
Esc
Close modal / clear selection