How We Make Money at Stack Overflow: 2016 Edition: Quality ads. "...we don’t want to use an automated system that selects some ads for us. We looked at this. It didn’t allow us the control we required to maintain the level of quality we want to maintain."
How We Make Money at Stack Overflow: 2019 Edition: Taking money from Microsoft and Google fingerprinting our users 100+ ways
source: https://stackoverflow.blog/2016/11/15/how-we-make-money-at-s...
Your options, as I see them.
1. Text based ads only (no third party js)
2. HTML based ads but no js (run it through DOMPurify https://github.com/cure53/DOMPurify)
3. Look for a js sandbox -- this _will_ break arbitrary js, will not be supported in all browsers, and will require dev work on your side:
* Google Caja https://github.com/google/caja
* MentalJS https://github.com/hackvertor/MentalJS
other options are available as well, in varying levels of maturity and support.I think using a sandbox iframe is not going to be able to defeat browser fingerprinting, because the sandbox control options are not rich enough. You would need to block all JS.
Or use iframe.sandbox, which was designed for it. https://www.w3schools.com/tags/att_iframe_sandbox.asp