Prevent DOM access (i.e. XHR and such)

[natevw]

Just spent today working on a sandboxing thing from a different angle before I found this. Turns out it's actually somewhat complementary!

1. The iframe.contentWindow.eval trick does a great job preventing an untrusted script from messing with other people's object prototypes.
2. Combining "use strict"; with a silly closure trick it seems possible to prevent access to all global objects…except object literal prototypes!

You can take a look at what I got on this in https://github.com/natevw/evel/blob/master/evel.js#L49 — I do whitelist the ES5 globals because I assume most code should be allowed to expect them. I'll be the first to admit that masking every global every function call is kind of "not ideal" but AFAICT combining https://github.com/natevw/evel's tricks with this iframe stuff yields a fairly declawed environment.

[Hobart2967]

For implementation, take a look at this! : https://www.w3schools.com/tags/att_iframe_sandbox.asp