[whatwg] iframe sandbox and allow-scripts from Ian Melven on 2013-04-12 (public-whatwg-archive@w3.org from April 2013)

From: Ian Melven <imelven@mozilla.com>
Date: Fri, 12 Apr 2013 16:56:29 -0700 (PDT)
To: whatwg <whatwg@lists.whatwg.org>
Message-ID: <1730627251.9824473.1365810989306.JavaMail.root@mozilla.com>

Hi,

Freddy Braun recently noticed that he could do the following in Firefox :

<iframe id='foo' sandbox='allow-same-origin' src='inner.html'>

(note no allow-scripts)

and then in the document containing the iframe:

var iframe = document.getElementById('foo');
iframe.contentWindow.eval("alert(document.location)");

and the alert will fire, which he found surprising.

I tested this in Chrome and IE 10 and found the behavior consistent across all three browsers.

The relevant portion of the spec seems to be (from http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#enabling-and-disabling-scripting) : 

* Scripting is enabled in a browsing context if ... The browsing context's active document's active sandboxing flag set does not have its sandboxed scripts browsing context flag set.

is the intent in Freddy's case to apply this rule using the browsing context of the script entry point ? that fits
the implemented behavior, but maybe should be mentioned in the iframe sandbox/allow-scripts section of the spec ?

thanks,
ian

Received on Friday, 12 April 2013 23:56:53 UTC