This commit adds live-preview-sandbox.js, which is a drop-in replacement
for live-preview.js. It creates the preview frame in a separate origin
and communicates with friendlycode through postmessage.
This is done primarily to prevent malicious code from compromising the
Right now this doesn't work with the preview-to-editor-mapping
component, but it can be made to.
I originally tried using the "sandbox" iframe attribute, which is supported
on webkit and bleeding-edge versions of firefox, but as child iframes
inherit the properties of their sandboxed parent, this proved problematic.
So I just assume that the preview iframe is in a separate origin; by default,
if no alternate origin is passed in, the code assumes it's at port+1 (i.e.,
if the friendlycode instance is at localhost:8001, the sandboxed iframe
is created at localhost:8002). This is currently inconvenient to set up
because it requires running two web servers on different ports.