[whatwg] iframe sandbox and allow-scripts

Ian Melven imelven at mozilla.com
Fri Apr 12 16:56:29 PDT 2013


Hi,

Freddy Braun recently noticed that he could do the following in Firefox :

<iframe id='foo' sandbox='allow-same-origin' src='inner.html'>

(note no allow-scripts)

and then in the document containing the iframe:

var iframe = document.getElementById('foo');
iframe.contentWindow.eval("alert(document.location)");

and the alert will fire, which he found surprising.

I tested this in Chrome and IE 10 and found the behavior consistent across all three browsers.

The relevant portion of the spec seems to be (from http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#enabling-and-disabling-scripting) : 

* Scripting is enabled in a browsing context if ... The browsing context's active document's active sandboxing flag set does not have its sandboxed scripts browsing context flag set.

is the intent in Freddy's case to apply this rule using the browsing context of the script entry point ? that fits
the implemented behavior, but maybe should be mentioned in the iframe sandbox/allow-scripts section of the spec ?

thanks,
ian



More information about the whatwg mailing list