There is a new iframe sandbox attribute that can be used to even further limit the code. There are also a blogpost at MSDN discussing this feature. Jeblad (talk) 15:36, 24 February 2012 (UTC)
Topic on Extension talk:EmbedScript/Flow
I'm starting this project back up; following up on some old comments. :)
Yeah, looks like sandbox="allow-scripts"
may be what we want; disables some things but still allows scripting. I'll want to make sure that doesn't break the postMessage though...