diff --git a/README.md b/README.md
index 859f16d..64faa4b 100644
--- a/README.md
+++ b/README.md
@@ -83,7 +83,7 @@ pnpm install
 npx wrangler deploy --name captun-browser-demo
 ```
 
-Handler source in the demo runs as first-party JavaScript in the page and is saved in local storage. Only paste handler code you wrote or trust.
+Handler source in the demo runs in a dedicated same-origin Web Worker and is saved in local storage. It cannot touch the page DOM directly, but it is still JavaScript you are choosing to run in this origin, so only paste handler code you wrote or trust.
 
 ## Advanced usage
 
diff --git a/docs/browser-demo-handler-worker.js b/docs/browser-demo-handler-worker.js
new file mode 100644
index 0000000..a39ecc0
--- /dev/null
+++ b/docs/browser-demo-handler-worker.js
@@ -0,0 +1,159 @@
+self.addEventListener("message", (event) => {
+  handleMessage(event.data).catch((error) => {
+    postError(error);
+  });
+});
+
+async function handleMessage(message) {
+  if (!message || typeof message.type !== "string") {
+    throw new Error("Handler worker received an invalid message.");
+  }
+
+  if (message.type === "validate") {
+    compileHandler(message.source);
+    self.postMessage({ type: "validated" });
+    return;
+  }
+
+  if (message.type === "fetch") {
+    const handler = compileHandler(message.source);
+    const request = deserializeRequest(message.request);
+    const response = await normalizeResponse(await handler(request, handlerContext(message)));
+    await postResponse(response);
+    return;
+  }
+
+  throw new Error("Handler worker received an unknown message: " + message.type);
+}
+
+function compileHandler(source) {
+  const handlerSource = source ? String(source).trim() : "";
+
+  if (!handlerSource) {
+    throw new Error("Handler source is empty.");
+  }
+
+  const value = Function(
+    '"use strict";\nreturn (\n' +
+      handlerSource +
+      "\n);\n//# sourceURL=captun-browser-demo-handler-source.js",
+  )();
+
+  if (typeof value === "function") return value;
+  if (value && typeof value.fetch === "function") return value.fetch.bind(value);
+
+  throw new Error("Handler source must evaluate to a function or an object with fetch().");
+}
+
+function deserializeRequest(request) {
+  const init = {
+    headers: request.headers,
+    method: request.method,
+  };
+
+  if (request.body !== null && typeof request.body !== "undefined") {
+    init.body = request.body;
+    init.duplex = "half";
+  }
+
+  return new Request(request.url, init);
+}
+
+function handlerContext(message) {
+  const context = message.context;
+
+  return {
+    corsHeaders: context.corsHeaders,
+    log(value) {
+      self.postMessage({
+        type: "handler-log",
+        message: String(value),
+        requestId: context.requestId,
+      });
+    },
+    publicUrl: context.publicUrl,
+    requestId: context.requestId,
+    tunnelName: context.tunnelName,
+  };
+}
+
+async function normalizeResponse(value) {
+  const resolved = await value;
+  const isReadableStream =
+    typeof ReadableStream === "function" && resolved instanceof ReadableStream;
+
+  if (resolved instanceof Response) return resolved;
+  if (
+    typeof resolved === "string" ||
+    resolved instanceof Blob ||
+    isReadableStream ||
+    resolved instanceof Uint8Array
+  ) {
+    return new Response(resolved);
+  }
+
+  throw new Error("Handler must return a Response, string, Blob, ReadableStream, or Uint8Array.");
+}
+
+async function postResponse(response) {
+  if (response.type === "error") {
+    self.postMessage({ type: "response-start", response: { type: "error" } });
+    return;
+  }
+
+  self.postMessage({
+    type: "response-start",
+    response: {
+      hasBody: Boolean(response.body),
+      headers: Array.from(response.headers.entries()),
+      status: response.status,
+      statusText: response.statusText,
+      type: "default",
+    },
+  });
+
+  if (!response.body) return;
+
+  const reader = response.body.getReader();
+  try {
+    while (true) {
+      const chunk = await reader.read();
+      if (chunk.done) break;
+
+      const bytes = transferableBytes(chunk.value);
+      self.postMessage({ type: "response-chunk", chunk: bytes }, [bytes.buffer]);
+    }
+    self.postMessage({ type: "response-done" });
+  } catch (error) {
+    self.postMessage({ type: "response-error", error: serializeError(error) });
+  }
+}
+
+function transferableBytes(value) {
+  if (value.byteOffset === 0 && value.byteLength === value.buffer.byteLength) {
+    return value;
+  }
+  return value.slice();
+}
+
+function postError(error) {
+  self.postMessage({
+    type: "error",
+    error: serializeError(error),
+  });
+}
+
+function serializeError(error) {
+  if (error instanceof Error) {
+    return {
+      message: error.message,
+      name: error.name,
+      stack: error.stack,
+    };
+  }
+
+  return {
+    message: String(error),
+    name: "Error",
+  };
+}
diff --git a/docs/browser-demo.html b/docs/browser-demo.html
index 1637822..928943b 100644
--- a/docs/browser-demo.html
+++ b/docs/browser-demo.html
@@ -70,8 +70,8 @@ <h2 id="handlerTitle">Fetch Handler</h2>
         </div>
         <div class="panel-body handler-grid">
           <p class="notice">
-            Handler source runs as first-party JavaScript in this page and is saved locally. Only
-            run code you wrote or trust.
+            Handler source runs in an isolated Web Worker and is saved locally. Only run code you
+            wrote or trust.
           </p>
           <label class="field">
             <span>Handler source</span>
diff --git a/docs/browser-demo.js b/docs/browser-demo.js
index 5dfc67e..041b40c 100644
--- a/docs/browser-demo.js
+++ b/docs/browser-demo.js
@@ -1,4 +1,6 @@
 const storagePrefix = "captun-browser-demo:";
+const handlerWorkerUrl = new URL("./browser-demo-handler-worker.js", window.location.href);
+const handlerWorkerTimeoutMs = 30000;
 const defaultHandler = `async function fetch(request, context) {
   const url = new URL(request.url);
   const headers = new Headers(context.corsHeaders);
@@ -52,6 +54,7 @@ let activeTunnel;
 let activePublicUrl = "";
 let requestCount = 0;
 let createTunnel;
+let transferableReadableStreamSupport;
 
 initialize();
 
@@ -110,7 +113,7 @@ async function connect() {
   }
 
   try {
-    compileHandler();
+    await validateHandlerSource();
   } catch (error) {
     setError("Handler did not compile");
     appendLog("error", "Handler did not compile", formatError(error));
@@ -162,18 +165,7 @@ async function handleTunnelRequest(request, tunnelName) {
   appendLog("request", "#" + id + " " + request.method + " " + url.pathname + url.search);
 
   try {
-    const handler = compileHandler();
-    const response = await normalizeResponse(
-      await handler(request, {
-        corsHeaders: corsHeaders(),
-        log(message) {
-          appendLog("handler", "#" + id + " " + message);
-        },
-        publicUrl: activePublicUrl,
-        requestId: id,
-        tunnelName,
-      }),
-    );
+    const response = await runHandlerInWorker(request, tunnelName, id);
     appendLog("response", "#" + id + " " + response.status + " " + response.statusText);
     return response;
   } catch (error) {
@@ -182,31 +174,6 @@ async function handleTunnelRequest(request, tunnelName) {
   }
 }
 
-function compileHandler() {
-  const source = elements.handlerSource.value.trim();
-  const value = Function('"use strict"; return (' + source + ");")();
-
-  if (typeof value === "function") return value;
-  if (value && typeof value.fetch === "function") return value.fetch.bind(value);
-
-  throw new Error("Handler source must evaluate to a function or an object with fetch().");
-}
-
-async function normalizeResponse(value) {
-  const resolved = await value;
-  if (resolved instanceof Response) return resolved;
-  if (
-    typeof resolved === "string" ||
-    resolved instanceof Blob ||
-    resolved instanceof ReadableStream ||
-    resolved instanceof Uint8Array
-  ) {
-    return new Response(resolved);
-  }
-
-  throw new Error("Handler must return a Response, string, Blob, ReadableStream, or Uint8Array.");
-}
-
 async function sendProbe() {
   if (!activePublicUrl) {
     appendLog("error", "Connect before sending a probe request");
@@ -283,6 +250,252 @@ async function loadBrowserClient() {
   return createTunnel;
 }
 
+async function validateHandlerSource() {
+  await runHandlerWorker(
+    {
+      type: "validate",
+      source: currentHandlerSource(),
+    },
+    [],
+  );
+}
+
+async function runHandlerInWorker(request, tunnelName, requestId) {
+  const serialized = await serializeRequest(request);
+  return await runHandlerWorker(
+    {
+      type: "fetch",
+      source: currentHandlerSource(),
+      request: serialized.request,
+      context: {
+        corsHeaders: corsHeaders(),
+        publicUrl: activePublicUrl,
+        requestId,
+        tunnelName,
+      },
+    },
+    serialized.transfer,
+  );
+}
+
+function runHandlerWorker(message, transfer) {
+  return new Promise((resolve, reject) => {
+    let responseStarted = false;
+    let settledInitialResponse = false;
+    let streamController;
+    let worker;
+    let timeout;
+
+    const terminate = () => {
+      clearTimeout(timeout);
+      if (worker) worker.terminate();
+    };
+
+    const resolveInitialResponse = (value, keepWorker) => {
+      if (settledInitialResponse) return;
+      settledInitialResponse = true;
+      clearTimeout(timeout);
+      if (!keepWorker) terminate();
+      resolve(value);
+    };
+
+    const rejectOrErrorStream = (error) => {
+      if (responseStarted && streamController) {
+        streamController.error(error);
+        terminate();
+        return;
+      }
+      if (settledInitialResponse) return;
+      settledInitialResponse = true;
+      terminate();
+      reject(error);
+    };
+
+    try {
+      worker = new Worker(handlerWorkerUrl.href, { name: "captun-browser-demo-handler" });
+    } catch (error) {
+      reject(error);
+      return;
+    }
+
+    timeout = window.setTimeout(() => {
+      rejectOrErrorStream(new Error("Handler worker did not respond within 30 seconds."));
+    }, handlerWorkerTimeoutMs);
+
+    worker.addEventListener("message", (event) => {
+      const workerMessage = event.data;
+      if (!workerMessage || typeof workerMessage.type !== "string") return;
+
+      if (workerMessage.type === "handler-log") {
+        appendLog("handler", "#" + workerMessage.requestId + " " + workerMessage.message);
+        return;
+      }
+
+      if (workerMessage.type === "validated") {
+        resolveInitialResponse(undefined, false);
+        return;
+      }
+
+      if (workerMessage.type === "response-start") {
+        responseStarted = true;
+        try {
+          const response = responseFromWorkerStart(workerMessage.response, () => worker);
+          resolveInitialResponse(response, Boolean(workerMessage.response?.hasBody));
+        } catch (error) {
+          rejectOrErrorStream(error);
+        }
+        return;
+      }
+
+      if (workerMessage.type === "response-chunk") {
+        if (!streamController) {
+          rejectOrErrorStream(new Error("Handler worker sent a response chunk before a response."));
+          return;
+        }
+        streamController.enqueue(new Uint8Array(workerMessage.chunk));
+        return;
+      }
+
+      if (workerMessage.type === "response-done") {
+        if (streamController) streamController.close();
+        terminate();
+        return;
+      }
+
+      if (workerMessage.type === "response-error") {
+        rejectOrErrorStream(deserializeWorkerError(workerMessage.error));
+        return;
+      }
+
+      if (workerMessage.type === "error") {
+        rejectOrErrorStream(deserializeWorkerError(workerMessage.error));
+        return;
+      }
+
+      rejectOrErrorStream(new Error("Handler worker sent an unknown message: " + workerMessage.type));
+    });
+
+    worker.addEventListener("error", (event) => {
+      event.preventDefault();
+      rejectOrErrorStream(new Error(event.message || "Handler worker failed."));
+    });
+
+    worker.addEventListener("messageerror", () => {
+      rejectOrErrorStream(new Error("Handler worker sent a response that could not be read."));
+    });
+
+    try {
+      worker.postMessage(message, transfer);
+    } catch (error) {
+      rejectOrErrorStream(error);
+    }
+
+    function responseFromWorkerStart(response, currentWorker) {
+      if (!response || typeof response !== "object") {
+        throw new Error("Handler worker returned an invalid response.");
+      }
+
+      if (response.type === "error") return Response.error();
+
+      const body = response.hasBody
+        ? new ReadableStream({
+            start(controller) {
+              streamController = controller;
+            },
+            cancel() {
+              const runningWorker = currentWorker();
+              if (runningWorker) runningWorker.terminate();
+            },
+          })
+        : null;
+
+      return new Response(body, {
+        headers: response.headers,
+        status: response.status,
+        statusText: response.statusText,
+      });
+    }
+  });
+}
+
+async function serializeRequest(request) {
+  if (request.method === "GET" || request.method === "HEAD") {
+    return {
+      request: {
+        body: null,
+        headers: Array.from(request.headers.entries()),
+        method: request.method,
+        url: request.url,
+      },
+      transfer: [],
+    };
+  }
+
+  if (request.body && (await supportsTransferableReadableStreams())) {
+    return {
+      request: {
+        body: request.body,
+        headers: Array.from(request.headers.entries()),
+        method: request.method,
+        url: request.url,
+      },
+      transfer: [request.body],
+    };
+  }
+
+  const body = await request.arrayBuffer();
+
+  return {
+    request: {
+      body,
+      headers: Array.from(request.headers.entries()),
+      method: request.method,
+      url: request.url,
+    },
+    transfer: body ? [body] : [],
+  };
+}
+
+async function supportsTransferableReadableStreams() {
+  if (typeof ReadableStream !== "function") return false;
+  if (typeof transferableReadableStreamSupport === "boolean") {
+    return transferableReadableStreamSupport;
+  }
+
+  const channel = new MessageChannel();
+  try {
+    const stream = new ReadableStream({
+      start(controller) {
+        controller.close();
+      },
+    });
+    channel.port1.postMessage(stream, [stream]);
+    transferableReadableStreamSupport = true;
+  } catch {
+    transferableReadableStreamSupport = false;
+  } finally {
+    channel.port1.close();
+    channel.port2.close();
+  }
+
+  return transferableReadableStreamSupport;
+}
+
+function deserializeWorkerError(error) {
+  const name = error && error.name ? String(error.name) : "Error";
+  const message = error && error.message ? String(error.message) : "Unknown handler worker error";
+  const formatted = name === "Error" ? message : name + ": " + message;
+  const value = new Error(formatted);
+
+  if (error && error.stack) value.stack = String(error.stack);
+
+  return value;
+}
+
+function currentHandlerSource() {
+  return elements.handlerSource.value.trim();
+}
+
 function setConnecting() {
   elements.status.textContent = "Connecting";
   elements.status.dataset.status = "connecting";
diff --git a/tasks/complete/2026-05-19-browser-demo-handler-sandbox.md b/tasks/complete/2026-05-19-browser-demo-handler-sandbox.md
new file mode 100644
index 0000000..2616b1f
--- /dev/null
+++ b/tasks/complete/2026-05-19-browser-demo-handler-sandbox.md
@@ -0,0 +1,36 @@
+---
+status: done
+size: medium
+base_pr: 7
+---
+
+Summary: Stacked follow-up to the browser demo page. Move editable handler execution out of the first-party page context while preserving the no-build static docs demo and request/response logging.
+
+Status summary: Done. Editable handler compilation and execution now happen in a static dedicated Web Worker, while the main page keeps the tunnel/probe/log UI. Response normalization, handler logs, compile errors, and the built-in probe were verified against a local Wrangler Worker.
+
+- [x] Run editable handler source in an isolated execution context instead of `Function(...)` in `docs/browser-demo.js`. _Added `docs/browser-demo-handler-worker.js`; `docs/browser-demo.js` now serializes requests into the worker and reconstructs worker-normalized responses._
+- [x] Preserve support for handlers that return `Response`, string, `Blob`, `ReadableStream`, or `Uint8Array`. _The worker normalizes those return types to `Response`, buffers the body across the worker boundary, and the browser smoke exercised all five supported shapes._
+- [x] Preserve tunnel request logs, handler logs, and the built-in probe behavior. _The main page still records tunnel/probe request and response rows; worker `context.log()` messages post back as handler log rows._
+- [x] Surface compile/runtime errors clearly in the existing log and probe output UI. _Worker errors are serialized with their error name/message and shown through the existing `Handler did not compile` and handler error paths._
+- [x] Keep the demo static and GitHub-Pages-friendly; do not add a bundler or app framework. _The sandbox is a plain static worker script loaded next to the existing HTML/CSS/JS assets._
+- [x] Verify with syntax checks, repo checks, tests, and a local browser smoke where practical. _Ran `node --check`, `pnpm run check`, `pnpm test`, a direct worker browser smoke, and a full local Worker probe smoke._
+
+## Assumptions
+
+- A dedicated Web Worker is enough isolation for this follow-up: it prevents handler code from touching the page DOM and local storage, while keeping web-standard `Request`/`Response` available.
+- Stronger sandboxing, such as origin isolation or SES-style policy controls, can remain out of scope unless the static worker approach proves insufficient.
+- This PR should use PR #7 as its base and stay focused on handler execution isolation.
+
+## Implementation Log
+
+- Added `docs/browser-demo-handler-worker.js` as the static worker that compiles editable handler source, builds a worker-side `Request`, normalizes supported handler return types, and posts serialized responses/errors/logs back to the page.
+- Updated `docs/browser-demo.js` to validate handler source via the worker before connecting and to execute each tunnel request in a fresh worker instance with a 30-second no-response guard.
+- Updated the handler notice in `docs/browser-demo.html` to describe worker execution rather than first-party page execution.
+- `node --check docs/browser-demo.js`, `node --check docs/browser-demo-client.js`, and `node --check docs/browser-demo-handler-worker.js` passed.
+- `pnpm run check` passed after installing dependencies from the existing lockfile.
+- `pnpm test` passed with 29 tests across 3 files.
+- Browser smoke served `docs/` on `http://127.0.0.1:8765/browser-demo.html`; direct worker calls returned expected bodies for `Response`, string, `Blob`, `Uint8Array`, and `ReadableStream`, and confirmed handler code sees `document`/`localStorage` as `undefined`.
+- Browser compile-error smoke set invalid handler source and confirmed the existing status/log UI reported `Handler did not compile` with a `SyntaxError`.
+- Full local probe smoke ran `pnpm exec wrangler dev --ip 127.0.0.1 --port 8788`, connected the demo to `http://127.0.0.1:8788/browser-smoke`, sent the built-in `/health` probe, and received `200 OK` JSON through the browser handler with request/handler/response log rows.
+- Review follow-up streams handler response chunks across the worker boundary, uses transferable request body streams when the browser supports them, and updates README wording for the worker-based trust model.
+- Browser review-fix smoke served `docs/` on `http://127.0.0.1:8098/browser-demo.html` and confirmed a delayed `ReadableStream` response resolves before the first body chunk and delivers later chunks incrementally.