I am developing a project in which other programmers can collaborate with their own HTML + JavaScript code. For security reasons I do not want your JavaScript code to have full access to the system, although I do want some access (eg your code could call some functions of the site, but I do not want to use AJAX or similar):
I'm looking at the possibility of creating a iframe in which the HTML + JS of the programmer would be executed in sandbox (so it can not affect the top page) and combine it with postMessage and an internal API to allow some bidirectional communication.
... that works for me, but it generates visualization problems: in iframe there may be elements that are dragged and that would be cut if the user moves them towards the limits of iframe (and I'm interested in for the user there is no difference between site and iframe ).
Is it possible to discard iframe and put the programmer's code directly on the page if possible in a secure manner? That is, would it be possible to run your JS file in sandbox mode or limit the functions it executes? (similar to how a iframe in sandbox would):
<script src="/ruta/a/js/del/usuario.js" sandbox></script>
I know that does not work because the script tag does not have sandbox attribute, but is there something similar? And if not, how could it be simulated?