[Webkit-unassigned] [Bug 90613] New: Inside a sandboxed iframe, it should be possible to create another iframe and access it
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 5 08:31:54 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=90613
Summary: Inside a sandboxed iframe, it should be possible to
create another iframe and access it
Product: WebKit
Version: 525.x (Safari 3.2)
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: Frames
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: bruno.michel at af83.com
Created an attachment (id=150946)
--> (https://bugs.webkit.org/attachment.cgi?id=150946&action=review)
The first file of the test case
Hi,
I'm working with iframes and iframes inside iframes (probably not ideal, but I have to). In the parent window, I have an iframe with sandbox="allow-scripts". Inside it, I have a javascript that creates other iframes and load content for them by setting the src or srcdoc attributes. Just a bit latter, the same javascript tries to inspect the content of these iframes but it fails: "Unsafe JavaScript attempt to access frame with URL about:blank from frame with URL http://localhost:3000/frame.html. Domains, protocols and ports must match".
I was expecting that the script run fine as it should be on the same fake domain. Of course, if I add the allow-same-origin on the sandbox property of the first iframe, it works. But it defeats the goal of using the sandbox as the sandboxed iframe can overload it.
I'm not really sure that it is a bug, but as I don't understand why someone would want this behaviour, I think it's better to make a bug report and let informed people decide about it.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list