If you manage to get the code to execute on a worker or an iframe, you should have a clean environment to operate in, with your own copy of the native environment and prototypes.<p>The question is... how do you create an iframe or worker safely? document.createElement and window.Worker can be poisoned too.<p>Perhaps its possible to verify the functions you're using are native and not created in user-land? that way, at least you could identify the attack and stop execution.