This may sound weird, but let me explain:
I would like to create an HTML page, that contains content from and links to only the same domain, like images etc. I want it to include also (somewhat trusted) external (3rd party) JavaScript, like Bootstrap, jQuery etc., which I link from a CDN.
Now I want to make sure that these other libraries never, under no circumstances, create clickable links (or do XHR-Requests) to other resources than those on my origin domain. So, whatever the user does on this page, requests will only go to my domain, never somewhere else, thus enforcing links to go only to targets on the same origin domain as the original file was served from.
You're looking for Content-Security-Policy, which can block everything except <a href>.
For links, you could use a MutationObserver to watch all links & throw an error or remove invalid links, and you can override window.open() to throw an error for invalid URLs.