To do what http://www.hidemyass.com/ is doing is impossible with just javascript, because javascript is client side. This site likely acts as a server proxy... almost, which means it requires server side communication (probably). (Likely the reason they're asking for money because they handle the traffic) You will likely need AJAX to do this which requires a server with some ability to handle and access other servers without restriction. Any free server will not do this easily and often have a policy on servers that they track communications to. So you are likely to have to pay somebody, if you aren't already. this is cheep if it's just you but the more traffic the more expensive.
That said, you can see if what sandbox mode offers is right for you.
<iframe sandbox><iframe>
To re-enable features add them to sandbox pramiters
- (no value) - - - - - - - - - - - - - - - -Applies all restrictions
- allow-forms - - - - - - - - - - - - - - Re-enables form submission
- allow-pointer-lock - - - - - - - - - - Re-enables APIs
- allow-popups - - - - - - - - - - - - - Re-enables popups
- allow-same-origin - - - - - - - - - -Allows the iframe content to be treated as being from the same origin
- allow-scripts - - - - - - - - - - - - - Re-enables scripts
- allow-top-navigation - - - - - - - - Allows the iframe content to navigate its top-level browsing context
source: w3schools
<iframe sandbox="allow-forms"><iframe>
If that does not satisfy, play with onclick and onchange events to stop users from interacting. with clickable elements or moving to other pages.
<iframe onchange="function(){\
document.getElementsByTagName("iframe"[0].src =\
"http://facebook.com");\
}"></iframe>
or some kind of onclick prevent default.
It's not safe in the first place so why stop there.
Access the iframe.contentDocument and search and remove all <a...</a> tags or just the ones you want. there is some kind of remove child method you can look up to do this. if you want to be more savvy you can compare href's an see if it belongs to a foreign site.
