[whatwg] iframe sandbox and allow-scripts
Adam Barth
w3c at adambarth.com
Sat Jun 22 22:20:01 PDT 2013
On Fri, Apr 12, 2013 at 4:56 PM, Ian Melven <imelven at mozilla.com> wrote:
> Freddy Braun recently noticed that he could do the following in Firefox :
>
> <iframe id='foo' sandbox='allow-same-origin' src='inner.html'>
>
> (note no allow-scripts)
>
> and then in the document containing the iframe:
>
> var iframe = document.getElementById('foo');
> iframe.contentWindow.eval("alert(document.location)");
>
> and the alert will fire, which he found surprising.
That's the behavior I would expect. You can also do the following:
var iframe = document.getElementById('foo');
iframe.contentWindow.alert("hello");
The allow-scripts sandbox flag doesn't block the script interfaces
inside the iframe. It just prevents content inside the iframe from
triggering script execution. In this case, the content outside the
iframe is the one triggering the script execution.
Adam
More information about the whatwg
mailing list