Removing all default globals from Nashorn

[Carlos Ricardo Feliz]

Hello all,
   I’m wondering if anyone knows of a way to use nashorn from Java without all of the default global objects (eg. the default packages and type functions, $ENV, $OUT etc.). I know that I can simply overwrite these variables with null, but I was hoping there was a way to set some flag to prevent the creation of these globals or perhaps clear some 'global bindings' object. So far I’ve had no luck finding either. I’m trying to completely sandbox nashorn (providing only a few functions that I will expose after removing all of the aforementioned globals). The thing that concerns me with simply “putting” null on top of all those variables is that perhaps a later update to nashorn might introduce new global variables (or worse — there may be globals that I’m not aware of). I read Sundar’s response here: http://www.mail-archive.com/nashorn-dev@openjdk.java.net/msg01153.html# however the solution provided there does not hide *all* of the globals. In particular all of the shell scripting global objects and functions are still available (for example quit() is still available which would be *very* bad in the context where I’m using nashorn).  Sundar also mentions that the first two points require a SecurityManager to be enabled. I would really like to avoid using a SecurityManager as it causes problems in other parts of the system which are out of my control (and in any case the security manager does not seem to remove all of globals either).  Any ideas on how to safely achieve this would be greatly appreciated.

Thanks,
Carlos F.