I'm working on a site that receives third-party untrusted Javascript as a string, and needs to eval() it. The site has sensitive cookies and localStorage that the untrusted code cannot have access to.
To solve this, I created a child iframe to another page in the same domain, with allow-scripts as the only sandbox attribute:
<iframe src="..." sandbox="allow-scripts"></iframe>
The child iframe has a list of preset methods it can execute based on expected payload from the parent using window.postMessage. The child receives the parent payload including the untrusted code to be executed, eval()s it and returns the response as a string to the parent via window.postMessage.
I've tested and verified the child iframe can't access the parent cookies or localStorage.
AFAIK this is safe, but I would like to know from someone experienced in the area.