Create a well defined message interface and use JavaScript Web Worker for the code you want to sandbox. HTML5 Web Workers
Web Workers do not have access to the following DOM objects.
-
The window object
-
The document object
-
The parent object
So they can’t redirect your page or alter data on it.
You can create a template and a well defined messaging interface so that users can create web worker scripts, but your script would have the final say on what gets manipulated.
EDIT Comment by Jordan Gray plugging a JavaScript library that seems to do what I described above. https://github.com/eligrey/jsandbox