Make sandbox around Function() in Javascript

Question

Can I limit the access of a string-generated function (using the Function constructor) to the parent/global scopes?

For example: the following code, as it is, prints

Answer 1

Here is an additional idea which could be quite powerful together with Esailija's proposal (see the comments on his answer for the discussion).

You could create dummy iframe and use its Function function. The function created with that will only have access to the scope of the iframe by default, though it could still break out of it. Fortunately it is easy to prevent that, by the way Esailija suggested.

I could imagine the function to be like this:

function sandboxed(code) {
    var frame = document.createElement('iframe');
    document.body.appendChild(frame);

    var F = frame.contentWindow.Function,
        args = Object.keys(frame.contentWindow).join();

    document.body.removeChild(frame);

    return F(args, code)();
}

DEMO

Optionally you might want to prepend 'use strict'; to the code.

---

This works at least in Chrome. Whether the function created this way has access to the iframe's global scope or the page's global scope can be easily tested with:

(function() {
    var frame = document.createElement('iframe');
    document.body.appendChild(frame);
    var same = window === frame.contentWindow.Function('return window;')();
    alert(same ? ':(' : ':)');
    document.body.removeChild(frame);
}());