The purpose for this is to run some user created JavaScript that processes sensitive data that should not escape the sandbox. My purpose here is to not only sandbox the script that is running, but to also sandbox the data that it is processing.
I can set up a sub domain or a web worker and use sendMessage to run the script and post the results back to the parent. I could use the new html5 sandbox flag on an iframe. All three of these methods can be used to isolate the script from the parent domain, but I can't find a way of locking down a script so that it can't send data to a server.
For example a script running on web worker could use an ajax request with a server that accepts cross domain requests to break the data out of the sandbox.
You can't cut off any native transport for script.
For example, Worker has access only to one native transport XMLHttpRequest(because no access to document -> no node with src, link, forms ) and you can redefine it ie window.XMLHttpRequest = function () {return 1} and script can't send data to server.
But just run delete window.XMLHttpRequest and you will set back native XMLHttpRequest. It works fine and in strict mode (ECMAScript-262 ed. 5/6)
(function () {
'use strict';
window.XMLHttpRequest = function () {return 1};
console.log(window.XMLHttpRequest);
delete window.XMLHttpRequest;
console.log(window.XMLHttpRequest);
})()
About HTML5 iframe options. If you use sandbox="allow-scripts allow-same-origin allow-pointer-lock" any script from iframe can't send cross-domain requests(XMLHttpRequest,postMessage,WebSocket, WebRTC, Server-Sent Events...any). If you need to denied cross-domain request - that is it.