Hi,
Except for Caja(which is Java based) is there a simple javascript implementation for sandboxing iframes?
A:
Load the iframe from a different domain, and the same origin policy will sandbox any scripts.
David Dorward
2009-06-13 12:15:47
Iframes are an isolation mechanism, not a security mechanism.From http://code.google.com/p/google-caja/ :Today, some websites embed third-party code using iframes. This approach does not prevent a wide variety of attacks: redirection to phishing pages which could pretend to be a login page for the embedding application; stopping the browser from working until the user downloads malware; stealing history information ... so that more target phishing attacks can be done... once [a website] has [given user data] ... it cannot stop the iframe app from sending that data elsewhere.
Mike Samuel
2009-09-30 17:47:45