By default, frontend custom scripts attached to forms are sandboxed. These scripts can use most of the normal APIs to control submissions, forms, and interface elements like the menu bar. The sandbox disables direct access to page elements, and uses CORS restrictions to prevent requests to organization pages.
Custom Views are technically sandboxed from the rest of the page, but scripts within have direct access to any of the view's own DOM Elements.
We strongly recommend leaving the sandbox enabled. It guarantees a basic level of security and exploit protection for any scripts you write, or third-party scripts you include. The structure and naming of DOM Elements is also subject to change without warning, so the best practice is to use the Custom Scripting API to control them.
If you need a specific function that isn't available in the sandbox, or have a suggestion for a new function, please email us at firstname.lastname@example.org. We are happy to work with you to keep your scripts secure and maintainable.
Disabling the Sandbox
Organization Managers can disable sandboxing with the Disable Script Sandboxing Plugin.
This plugin can be disabled at any time from the Plugins tab of your Management panel.