Re: [whatwg] iframe sandbox and allow-scripts

On Fri, Apr 12, 2013 at 4:56 PM, Ian Melven <imelven@mozilla.com> wrote:
> Freddy Braun recently noticed that he could do the following in Firefox :
>
> <iframe id='foo' sandbox='allow-same-origin' src='inner.html'>
>
> (note no allow-scripts)
>
> and then in the document containing the iframe:
>
> var iframe = document.getElementById('foo');
> iframe.contentWindow.eval("alert(document.location)");
>
> and the alert will fire, which he found surprising.

That's the behavior I would expect.  You can also do the following:

var iframe = document.getElementById('foo');
iframe.contentWindow.alert("hello");

The allow-scripts sandbox flag doesn't block the script interfaces
inside the iframe.  It just prevents content inside the iframe from
triggering script execution.  In this case, the content outside the
iframe is the one triggering the script execution.

Adam

Received on Sunday, 23 June 2013 05:20:56 UTC