Zynox Browser Engine

Built by Zynox. A from-scratch browser engine — fast through minimal memory, secure by design.

---

What Is Zynox Browser Engine?

Zynox Browser Engine is a real, ground-up browser engine — not a wrapper around Chrome, WebKit, or Gecko. It implements the full HTML → DOM → CSS → Layout → Render → JavaScript pipeline from scratch, with a clear architecture path to a Rust production rewrite.

Core philosophy:

• Speed through minimal memory — every data structure is chosen for minimal footprint
• Security by default — block first, allow explicitly
• No magic — every layer is readable and replaceable
• Research grade now, production grade later

---

Architecture

URL / HTML
    │
    ▼
┌──────────────────┐
│   Network Layer  │  HTTPS fetch · LRU cache · security validation
└────────┬─────────┘
         │ HTML text
         ▼
┌──────────────────┐
│  HTML Tokenizer  │  HTML → token stream  (one-pass, O(n))
└────────┬─────────┘
         │ Token[]
         ▼
┌──────────────────┐
│   DOM Builder    │  tokens → DOM tree  (stack-based, no recursion)
└────────┬─────────┘
         │ DOMNode tree
         ▼
┌──────────────────┐
│   CSS Engine     │  cascade · specificity · inheritance · UA stylesheet
└────────┬─────────┘
         │ computed styles per node
         ▼
┌──────────────────┐
│  Layout Engine   │  box model · block/inline flow · pixel positions
└────────┬─────────┘
         │ LayoutBox tree
         ▼
┌──────────────────┐
│    Renderer      │  SDL2/pygame painter · backgrounds · borders · text
└────────┬─────────┘
         │ pixels
         ▼
┌──────────────────┐
│  JavaScript      │  QuickJS · DOM bindings · events · mutations
│  Engine          │  window · document · localStorage · setTimeout
└──────────────────┘

---

Project Structure

zynox-browser-engine/
├── engine.py                  ← Main orchestrator (start here)
├── core/
│   ├── tokenizer.py           ← HTML Tokenizer
│   ├── dom.py                 ← DOM Builder + DOMNode tree
│   ├── css.py                 ← CSS Parser + Style Engine
│   ├── layout.py              ← Layout Engine (box model)
│   └── js_engine.py           ← JavaScript Engine (QuickJS + DOM bindings)
├── network/
│   └── network.py             ← HTTP client · cache · security policy
├── renderer/
│   └── renderer.py            ← SDL2/pygame painter
├── security/                  ← (Phase 3: process isolation, sandboxing)
└── tests/                     ← (coming)

---

Requirements

pip install pygame quickjs

---

Running It

# Full engine — HTML + CSS + Layout + JS pipeline
python engine.py

# Individual layers
cd core
python tokenizer.py    # HTML → tokens
python dom.py          # tokens → DOM tree
python css.py          # CSS cascade demo
python layout.py       # layout computation
python js_engine.py    # JavaScript engine demo

cd ../network
python network.py      # network + security tests

cd ../renderer
python renderer.py     # renders a test page to PNG

---

Security Model

The network layer enforces security at every request:

Rule	Detail
Blocked schemes	javascript: vbscript: file: ftp: about:
Blocked hosts	localhost · 127.0.0.1 · 192.168.x.x · 10.x.x.x (SSRF prevention)
Blocked ports	SSH (22) · MySQL (3306) · Redis (6379) · MongoDB (27017) and more
HTTPS enforcement	Configurable (off for dev, on for production builds)
Referrer policy	Same-origin only
JS sandbox	No filesystem access · fetch routed through engine · localStorage in-memory only
DNT	Sent by default on all requests
SSL	Certificate verification on by default

---

Changelog

v0.2.0-alpha — Phase 2: Rendering & JavaScript

• Renderer: SDL2/pygame painter — backgrounds, borders, text, fonts, bold, color
• JavaScript Engine: QuickJS (ES2020) with full DOM bindings
  • window, document, navigator, location, console
  • querySelector, getElementById, getElementsByClassName, getElementsByTagName
  • setAttribute, addEventListener, click(), appendChild, createElement
  • localStorage / sessionStorage (sandboxed in-memory)
  • setTimeout / setInterval / requestAnimationFrame
  • fetch sandboxed and routed through Zynox network layer
• Full pipeline now: Network → Tokenizer → DOM → CSS → Layout → Render → JS

v0.1.0-alpha — Phase 1: Core Pipeline

• HTML Tokenizer (one-pass, WHATWG-inspired)
• DOM Builder (stack-based, handles auto-close, querySelector/getElementById)
• CSS Engine (full cascade, specificity, inheritance, UA stylesheet)
• Layout Engine (box model, block/inline, pixel positions)
• Network Layer (HTTPS, LRU cache, security policy)
• Full pipeline in ~2ms on a typical page

---

Roadmap

Phase 1 — Core Pipeline          ✅ v0.1.0-alpha
Phase 2 — Rendering & JS         ✅ v0.2.0-alpha
Phase 3 — Real Browser Features  ⬜ v0.3.0
  · Interactive window (scroll, resize, keyboard/mouse input)
  · Image loading (PNG, JPEG, WebP, SVG)
  · Full CSS3 (flexbox, grid, transitions)
  · Content Security Policy engine
  · Cookie + session management
  · Process isolation (tab sandboxing)
Phase 4 — Own JavaScript Engine  ⬜ v0.4.0
  · Zynox JS: bytecode compiler + VM + garbage collector
  · Replace QuickJS entirely
Phase 5 — Rust Rewrite           ⬜ v1.0.0
  · Hot paths rewritten in Rust
  · Full memory safety guarantees
  · Production performance targets

---

About

Zynox Browser Engine is a product of Zynox.

Started: 2026