[whatwg] iframe sandbox and allow-scripts

Adam Barth w3c at adambarth.com
Sat Jun 22 22:20:01 PDT 2013

On Fri, Apr 12, 2013 at 4:56 PM, Ian Melven <imelven at mozilla.com> wrote:
> Freddy Braun recently noticed that he could do the following in Firefox :
> <iframe id='foo' sandbox='allow-same-origin' src='inner.html'>
> (note no allow-scripts)
> and then in the document containing the iframe:
> var iframe = document.getElementById('foo');
> iframe.contentWindow.eval("alert(document.location)");
> and the alert will fire, which he found surprising.

That's the behavior I would expect.  You can also do the following:

var iframe = document.getElementById('foo');

The allow-scripts sandbox flag doesn't block the script interfaces
inside the iframe.  It just prevents content inside the iframe from
triggering script execution.  In this case, the content outside the
iframe is the one triggering the script execution.


More information about the whatwg mailing list