如何在Javascript中打印不受信任的html blob

我正在从内容类型为text / html的API加载blob,此blob完全基于用户输入,因此不受信任,它可能包含例如恶意脚本,该脚本从local_storage抓取了access_token并将其发送到某些Web服务器。 安全地打印此类Blob的最佳实践是什么?

我的代码当前将blob加载到隐藏的沙盒iFrame中,并调用print()。但是,完美的沙箱将阻止在iFrame内容上调用print(),因此我不得不向沙箱添加“ allow-same-origin”和“ allow-modals”例外。但是我不确定这些异常是否或如何危及安全性:

/**
 * Attaches the given blob in a hidden iFrame and calls print() on
 * that iFrame, and then takes care of cleanup duty afterwards.
 * This function was inspired from MDN: https://mzl.la/2YfOs1v
 */
export function printBlob(blob: Blob): void {
  const url = window.URL.createObjectURL(blob);
  const iframe = document.createElement('iframe');
  iframe.onload = setPrintFactory(url);
  iframe.style.position = 'fixed';
  iframe.style.right = '0';
  iframe.style.bottom = '0';
  iframe.style.width = '0';
  iframe.style.height = '0';
  iframe.style.border = '0';
  iframe.sandbox.add('allow-same-origin');
  iframe.sandbox.add('allow-modals');
  iframe.src = url;
  document.body.appendChild(iframe);
}

function setPrintFactory(url: string): () => void {
  // As soon as the iframe is loaded and ready
  return function() {
    this.contentWindow.__container__ = this;
    this.contentWindow.__url__ = url;
    this.contentWindow.onbeforeunload = closePrint;
    this.contentWindow.onafterprint = closePrint;
    this.contentWindow.focus(); // Required for IE
    this.contentWindow.print();
  };
}

function closePrint() {
  // Cleanup durty once the user closes the print dialog
  document.body.removeChild(this.__container__);
  window.URL.revokeObjectURL(this.__url__);
}

谢谢你的帮助,