How do I enforce same origin policy iframe restrictions on an iframe in my own domain?

I am the creator of http://labcs开发者_JAVA技巧s.net, and I have a security issue I need to solve. labcss is similar to jsFiddle, only jsFiddle execute their Javascript code in a sanbox. Since I need to heavily manipulate the contents of the iframe and interact with it, I can't have the "Run" button approach, which sends the data to the iframe jail.

I need to enforce Javascript restrictions so that the internal Javascript which will run in the iframe, although in the same domain, will execute out of my domain, so I won't have XSS issues. (I do need the Javascript to execute though).

Thanks for the advice.

You could use Google Caja, Microsoft WebSandbox, Facebook FBJS, AdSafe, or (on very modern browsers) SES. These all provide a secure Javascript sandbox. However, be warned: they have a fair number of moving parts.

Caja and WebSandbox let you write standard Javascript, with no restrictions, and you can use many existing Javascript libraries. FBJS and AdSafe have you write in a different more restricted language: FBJS in Facebook's variant of Javascript, AdSafe in a restricted subset of Javascript with its own library.

You may also find the HTML5 iframe sandbox attribute helpful. This is the spec, but the best description might be here.

This seems to be supported on Chrome, IE10, FireFox, Safari.

The spec says that if the "allow-same-origin" attribute is not set, "the content is treated as being from a unique origin." This should prevent your child iframe from accessing any part of the parent's DOM.