Sandbox the live preview inside an iframe on a separate origin

[toolness]

This isn't yet a formal pull request with productionalized code; it's more to begin a dialogue that will take place in mozilla/webpagemaker#626.

The code contained in this pull request is a proof-of-concept which houses the live preview on a separate origin that is communicated with via postMessage. A simple message-passing protocol is defined that treats the preview frame as untrusted, thereby mitigating any attacks that malicious code can inflict on the editor domain.

I've hosted a demonstration of this at sandboxed-jsthimble.toolness.org. There shouldn't be any way to access the editor frame from script that the preview frame executes.

[toolness]

It should be noted that I originally tried using the sandbox attribute of <iframe> elements to implement this, so that we wouldn't have to mess with DNS/ports to create authentic separate origins. However, the sandbox created has a universally unique origin, and any of its child iframes also have universally unique, separate origins--which means that user code which creates iframes won't actually work the way a normal webpage does. Combined with the fact that the sandbox attribute isn't even supported on IE9, which we want to support, I didn't pursue this strategy.

That said, we could still benefit from using the sandbox attribute to prevent the child code from loading content to the top-level browsing context (i.e., the editor), as this is definitely something we never want to subject users to.

[toolness]

Note also that this proof-of-concept doesn't yet support the "x-ray goggles" effect of being able to click on an element in the preview page and having its source code highlighted in the editor side. However, this can be done with the right kind of message passing.