I am trying to use Caja to sandbox users' games, to prevent malicious code from being run, however when using Caja you us separate host and guest pages eg.
example.com/host and
example.com/guestMy concern is that an attacker could simply link to the unsandboxed
example.com/guest, and bypass the sandbox entirely.
Is there any way to protect against this, such as dynamically loading the html from a string, or blocking direct access to
example.com/guest?