I wonder how good their protection isβ¦
I believe it creates an iframe with a separate domain, writes the js into it, and communicates via message passing/anchor etc.
The net result is that you can execute unsafe js, in a sandbox on your page and expose an API to it.
It's not an iframe, it's a capability-based filter which provides more security than an iframe can. A lot of sites use it now that it's reasonably fast...
http://code.google.com/p/google-caja/
I wonder how good their protection isβ¦