What are the risks of letting users upload and run Javascript

Question

If you have say an HTML5 games arcade, that allows users to upload a script that runs a game with HTML5 and Javascript, assuming you have no filters on their input (apart fr

Answer 1

Writing a bot that wins.
Then the game would quickly move to writing a better bot to beat the other bots ;)

If you load these scripts in an iframe with another domain, subdomain, port or protocol, the same origin policy will prevent these script to read the content of the main page.

And you can set a string communication between these iframe and your main page through window.postMessage for modern browser or using the window.name hack for older browsers.

And to prevent cookie stealing, you can have a secret key in your main page that you send back to your server for each request.