Cross-site monkey-patching security

[timimahoney]

All the pages in a process share the same DOM classes. This means that one site could monkey-patch a class and breach the security of another site. For example:

window.class.send(:define_method, :window) do
  # Here, the script might have access to
  # the Window of another site.
end

There are a few ways to fix this:

• Run a new Ruby process for each frame This seems to be the safest bet, but would require a good amount of work. It may be automatically implemented in a multi-process architecture like Chromium.
• Define the DOM classes separately for each frame This shouldn't require all that much work. Each RB class currently has a static VALUE member that represents its class. We would replace this with a map of DOMWindow to VALUE. Then, we would convert RBObject::rubyClass() to RBObject::rubyClass(DOMWindow*) so that we know which window to get the class for.
• Run at a safe mode high enough to disable monkey-patching I don't think I like this one. Some people might want to patch classes, but they would be out of luck. We may want to raise the safe level anyway, but not because of this issue.