Sandbox tool #11
Description
A sandbox could be an interesting idea. Especially as a dropdown with options what should be blocked.
I am not sure if anything should be blocked by default, because that could always end in frustration when something that should work does not for mysterious reasons.
But it might make a good default to block all external requests when the editor gets a feature to link to code directly. Like ...html_editor/?code=<!doctype html><html>...
Then it could display an info box like "Initial code was loaded from your link and the sandbox was activated. Use the Sandbox menu to enable more features the code can use".
This first experiment of restricting JS features with the sandbox attribute and a CSP header looks promising:
<iframe sandbox="allow-scripts"></iframe>
<script>
document.querySelector('iframe').srcdoc=`
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-inline'">
<span>Hello</span>
<script>
document.querySelector('span').innerHTML+=" world";
fetch('/');
</sc`+`ript>
<img src='https://placecats.com/300/200'>
`;
</script>