W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2013

Re: [whatwg] iframe sandbox and allow-scripts

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 22 Jun 2013 22:20:01 -0700
Message-ID: <CAJE5ia_XzV9VxN1s1EqkEdh6oYoGfNFjXP4SihvrHePm-Bd8JA@mail.gmail.com>
To: Ian Melven <imelven@mozilla.com>
Cc: whatwg <whatwg@lists.whatwg.org>
On Fri, Apr 12, 2013 at 4:56 PM, Ian Melven <imelven@mozilla.com> wrote:
> Freddy Braun recently noticed that he could do the following in Firefox :
>
> <iframe id='foo' sandbox='allow-same-origin' src='inner.html'>
>
> (note no allow-scripts)
>
> and then in the document containing the iframe:
>
> var iframe = document.getElementById('foo');
> iframe.contentWindow.eval("alert(document.location)");
>
> and the alert will fire, which he found surprising.

That's the behavior I would expect.  You can also do the following:

var iframe = document.getElementById('foo');
iframe.contentWindow.alert("hello");

The allow-scripts sandbox flag doesn't block the script interfaces
inside the iframe.  It just prevents content inside the iframe from
triggering script execution.  In this case, the content outside the
iframe is the one triggering the script execution.

Adam
Received on Sunday, 23 June 2013 05:20:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:22 UTC