Automatic transformation of XML namespaces/Implementation considerations
The term sandboxing means running an untrusted program in such a way that it is unable to damage system or user files or disclose sensitive information. Reliable sandboxing is required for all implementations of this standard, which may access network, as otherwise the implementation would be potentially harmful by running malicious program loaded from the Web.
Implementation note: http://portonsoft.wordpress.com/2014/01/11/toward-robust-linux-sandbox/
As on certain systems it is too hard or impossible to implement sandboxing for secure dealing with converter programs downloaded from the Web, it is feasible to implement this recommendation as HTTP proxy servers on supporting systems, so that user's of non-supporting system would access the functionality related with this standard through these proxies.
Implementation of this recommendation in the form of a HTTP proxy server is also useful for using it with non-supporting Web browsers (including all browsers shipped before this standard is written).
I thought it is possible only with SELinux or something like that. But there is also Firejail which we can use instead.