Can workers be secure enough for an untrusted code

Question

I have an untrusted code submitted by a user, and I need to execute it in a sandboxed environment in a browser.

I was advised that Web-Workers cannot be secure enoug

Answer 1

Is separate origin policy applied to the worker code in this case?

No, from the current editor's draft of the File API specification:

The origin of a Blob URL must be the same as the effective script origin specified by the incumbent settings object at the time the method that created it -- either URL.createObjectURL or URL.createFor -- was called.

---

additional reasons, why a worker is (by default) less restricted comparing to the sandboxed iframe

Sandboxed iframes can specify some permissions on things other than cross-origin communication. For example, you can prevent the sandboxed content from opening popups. Although web workers currently don't have APIs to do many of these things.

---

is there any chance to set-up a worker somehow so that it would be restricted enough

There just isn't any security mechanism for web workers. There are other tools in the web platform for isolating untrusted code, like a sandboxed iframe as you point out. You could have a sandboxed iframe create a web worker, if that's any better.