IFrame Sandboxing Cross-Browser/Pre HTML5

[GoogleCodeExporter]

Investigate a way to implement a factory mechanism to create sandboxed
iframes to simplify the problem of loading potentially untrusted content
into a page (read widgets, microapps, etc.)

Ideally this would be accessed via the Locator like
<script type="text/javascript">
var untrustedWidget = false;
with( $ESAPI.domUtilities() ) {
   untrustedWidget = this.contentFactory.createIFrame({
      id: 'untrusted-widget',
      src: 'http://www.untrusted.com/widget',
      sandboxAttributes: [ 
         this.Sandbox.ALLOW_SAME_ORIGIN 
      ]
   });
};
$ESAPI.select( 'untrusted-widget-container' ).appendChild( untrustedWidget );
</script>

The implementation of the createIFrame method would use the sandbox
attribute of IFrame if supported by the user-agent, and if not create a
IFrame Javascript sandbox using a third party library or by preloading the
content of the page, and wrapping any javascript executed in the frame in
the context of a with() block that provides a limited subset of the
javascript API (whitelist and blacklist) 

There is a great deal of documentation around IFrame Sandboxing in the
HTML5 Specification 

http://dev.w3.org/html5/spec/Overview.html#attr-iframe-sandbox

Original issue reported on code.google.com by chrisisbeef on 29 Apr 2010 at 4:20