I am trying to use Caja to sandbox users' games, to prevent malicious code from being run, however when using Caja you us separate host and guest pages eg. example.com/host
My concern is that an attacker could simply link to the unsandboxed example.com/guest
, and bypass the sandbox entirely.
Is there any way to protect against this, such as dynamically loading the html from a string, or blocking direct access to example.com/guest