Investigate a way to implement a factory mechanism to create sandboxed iframes to simplify the problem of loading potentially untrusted content into a page (read widgets, microapps, etc.)

Ideally this would be accessed via the Locator like <script type="text/javascript"> var untrustedWidget = false; with( $ESAPI.domUtilities() ) { untrustedWidget = this.contentFactory.createIFrame({ id: 'untrusted-widget', src: 'http://www.untrusted.com/widget', sandboxAttributes: [ this.Sandbox.ALLOW_SAME_ORIGIN ] }); }; $ESAPI.select( 'untrusted-widget-container' ).appendChild( untrustedWidget ); </script>

The implementation of the createIFrame method would use the sandbox attribute of IFrame if supported by the user-agent, and if not create a IFrame Javascript sandbox using a third party library or by preloading the content of the page, and wrapping any javascript executed in the frame in the context of a with() block that provides a limited subset of the javascript API (whitelist and blacklist)

There is a great deal of documentation around IFrame Sandboxing in the HTML5 Specification

http://dev.w3.org/html5/spec/Overview.html#attr-iframe-sandbox