I never used JavaScript server side, actually I didn't even know that it would be used or useful there. Now that I found out that it is possible and there is a quite active community, I am wondering if there are some known drawbacks when used on the server side.
Are there some assumptions that I should be aware of on the sandbox model? Should I care about the same origin policy typically enforced by browsers or not?
JavaScript is a language just like any other language, such as C and Java. You can run Java on your desktop PC, and on your server as well. In the same vein, you can run JavaScript just fine on a server.
Node.js is one popular asynchronous I/O library that uses the JavaScript language. It runs extremely well in a server environment as evidenced by GitHub and Klout.
The same origin policy is only applicable in browsers, i.e. at the client side. The sandbox is still in the language in the sense that you probably will not hit a buffer overflow. It is not the same sandbox as implemented in browsers, that is, no access to sockets, and no access to files.
The bottomline is to think about JavaScript as a generic language.
The drawback from a programming point of view is the JavaScript interpreter runs single-threadedly. There could have been improvements in this area. From a security point of view there are likely no issues to worry about.
As @Nam points out, Javascript is "just" a programming language like any other. It has a few shortcomings which can make it a bit delicate to use in an hostile environment, e.g. its "numbers" are really floating point values, so you begin to lose a bit of precision when going beyond the 253 limit: "secure programming" is mostly about making sure that the code reacts appropriately when receiving any input data (even invalid input data) and such fuzziness in the language features makes it somewhat harder. There is nothing which would make Javascript inherently inadequate for server-side programming, but it is probably not the easiest language to build a robust server with.
I have seen an expensive SaaS app which allows users to upload Javascript snippets that will be executed server-side when events are triggered. This is a hugely beneficial feature for this app but obviously, because they are executing untrusted code uploaded by users, I'm sure they developed a special restricted Javascript execution environment.
This is the same problem you run into with any dynamic interpreted languages such as Python or Ruby. Normal application security practices should be used when you can write your own trusted code to run on the server, but if you are executing untrusted code from users you need to restrict the interpreter, for example, from executing something like Python's eval() function that could be used to escape that sandbox.
