Sandbox content in IFRAME on the client side

Problem

I have some javascript content that I want to "sandbox" in an iframe:

<script type="text/javascript"> doSomethingPotentiallyMalicious( // ideally, i want this to be able to run... top.document.getElementById('sensitive_information') // ...but want this to fail due to cross-domain permissions ); </script> 

The trap, due to the nature of our web application, I need to make this embedded in the parent page that contains the iframe, and I need to do this using a cross browser.

Data url ... almost, but not quite

I managed to get the desired effect in Chrome by setting the content in the iframe via the data url:

 <iframe id="sandbox" src="data:text/html;charset=utf-8,%3Cscript%20type%3D%22text%2Fjavascript%22%3E%0A%20%20%20%20doSomethingPotentiallyMalicious(%20%2F%2F%20ideally%2C%20i%20want%20this%20to%20be%20able%20to%20run...%0A%20%20%20%20%20%20%20%20top.document.getElementById('sensitive_information')%20%2F%2F%20...but%20want%20this%20to%20fail%20due%20to%20cross-domain%20permissions%0A%20%20%20%20)%3B%0A%3C%2Fscript%3E"></iframe> 

However, data URL support is spotty, and you need to work with multiple browsers.

Document.write gets content there but doesn't have cross-domain security

I can have unsafe content in a line with escaped javascript and then write it as iframe content:

 <iframe id="sandbox" src="http://google.com/"></iframe> <script> var unsafeContent = '\x3Cscript\x20type\x3D\x22text\x2Fjavascript\x22\x3E\x0A\x20\x20\x20\x20doSomethingPotentiallyMalicious\x28\x20\x2F\x2F\x20ideally,\x20i\x20want\x20this\x20to\x20be\x20able\x20to\x20run...\x0A\x20\x20\x20\x20\x20\x20\x20\x20top.document.getElementById\x28\x27sensitive_information\x27\x29\x20\x2F\x2F\x20...but\x20want\x20this\x20to\x20fail\x20due\x20to\x20cross\x2Ddomain\x20permissions\x0A\x20\x20\x20\x20\x29\x3B\x0A\x3C\x2Fscript\x3E\x0A\x0A'; var sandbox = document.getElementById('sandbox'); sandbox = (sandbox.contentWindow) ? sandbox.contentWindow : (sandbox.contentDocument.document) ? sandbox.contentDocument.document : sandbox.contentDocument; sandbox.document.open(); sandbox.document.write(unsafeContent); sandbox.document.close(); </script> 

The problem with this is that after I write this content in an iframe, the cross-domain security seems to no longer exist (which means that the doSomethingPotentiallyMalicious function has access to everything in the parent window).

Document.write + Document.domain doesn't seem to bring us there,

I even tried changing document.domain (by deleting the left-most domain, so "www.example.com" becomes "example.com") for this previous SO post , but this doesn't seem to require a cross-domain policy:

 <iframe id="sandbox" src="http://google.com/"></iframe> <script> // prepended to unsafeContent: document.domain = document.domain.replace(/^[\w-]+\./,''); var unsafeContent = '\x3Cscript\x20type\x3D\x22text\x2Fjavascript\x22\x3E\x0A\x20\x20\x20\x20document.domain\x20\x3D\x20document.domain.replace\x28\x2F\x5E\x5B\x5Cw\x2D\x5D\x2B\x5C.\x2F,\x27\x27\x29\x3B\x0A\x20\x20\x20\x20doSomethingPotentiallyMalicious\x28\x20\x2F\x2F\x20ideally,\x20i\x20want\x20this\x20to\x20be\x20able\x20to\x20run...\x0A\x20\x20\x20\x20\x20\x20\x20\x20top.document.getElementById\x28\x27sensitive_information\x27\x29\x20\x2F\x2F\x20...but\x20want\x20this\x20to\x20fail\x20due\x20to\x20cross\x2Ddomain\x20permissions\x0A\x20\x20\x20\x20\x29\x3B\x0A\x3C\x2Fscript\x3E\x0A\x0A'; var sandbox = document.getElementById('sandbox'); sandbox = (sandbox.contentWindow) ? sandbox.contentWindow : (sandbox.contentDocument.document) ? sandbox.contentDocument.document : sandbox.contentDocument; sandbox.document.open(); sandbox.document.write(unsafeContent); sandbox.document.close(); </script> 

What am I trying to make even technically feasible at the moment?