Right now, any document content can affect the whole app. This is both a security and a usability issue: Attackers can gain control over the app and faulty widgets can break the whole app.
Sandboxing on the document level seems to be the best choice. Widgets having access to the whole document can be useful, and the damage attackers can cause is limited to an acceptable level. Performance loss is also kept limited, since each open document has its own iframe, but the user most likely won't have many open documents (<10).
The document would need to exist in an iframe. The editor needs to be modified so all content exists in the iframe. Bundles need to be loaded into the iframe. The editor toolbox with its widget previews needs to be reconsidered, as well.
Right now, any document content can affect the whole app. This is both a security and a usability issue: Attackers can gain control over the app and faulty widgets can break the whole app.
Sandboxing on the document level seems to be the best choice. Widgets having access to the whole document can be useful, and the damage attackers can cause is limited to an acceptable level. Performance loss is also kept limited, since each open document has its own iframe, but the user most likely won't have many open documents (<10).
The document would need to exist in an iframe. The editor needs to be modified so all content exists in the iframe. Bundles need to be loaded into the iframe. The editor toolbox with its widget previews needs to be reconsidered, as well.