[Webkit-unassigned] [Bug 209653] New: events from sandboxed iframe (allow-same-origin) not firing

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Mar 27 09:01:20 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=209653

            Bug ID: 209653
           Summary: events from sandboxed iframe (allow-same-origin) not
                    firing
           Product: WebKit
           Version: Safari 13
          Hardware: Unspecified
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: UI Events
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: frisou76 at yahoo.fr

Hi.

Version:
- tested on gnome web (13.0 / ubuntu 18.04 x86_64)
- tested on virtual safari 13.0.2 (via browser stack)

Description:
Sandboxed iframe with parameter sandbox="allow-same-origin" does not fire events (any kind: onload, onclick,...), and message "Blocked script execution in '...' because the document's frame is sandboxed and the 'allow-scripts' permission is not set." is displayed in console.

Awaited:
Scripts inside the iframe must not be executed, but parent script functions attached to iframe content events should be executed, since they are trusted.

Other browsers:
Works in Firefox, Chromium, IE, Edge


Steps to reproduce:
1) Create an iframe by script with parameter sandbox="allow-same-origin"
2) Populate iframe by script with untrusted content
3) Attach iframe event like onload / onreadystatechange / onclick to a function

Code sample:

<html>
<head>
</head>
<body>
<script>
  var iframe = document.createElement('iframe');
  iframe.setAttribute('sandbox', 'allow-same-origin allow-modals'); //allow-modals is set because we use alert in button.onclick function that, however, shall not be launched
  iframe.style.width = iframe.style.height = "100%";
  document.body.appendChild(iframe);
  var idocument = iframe.contentWindow.document;

  var onready = idocument.onreadystatechange = function(){
    if (idocument.readyState == 'complete') {
      idocument.querySelector('button').addEventListener('click', function(ev){
        alert('This script is trusted :-)');
      }, false)
    }
  }

  idocument.write('<head></head><body><button onclick="alert(\'This script is UNTRUSTED :-(\')">click Me</button></body>');
  try{
    idocument.close()
  }catch(er){
  }

  // as a first workaround for webkit, let's set up a loop to check readyState
  function checkComplete(){
    if (idocument.readyState != 'complete')
      return setTimeout(checkComplete, 100);
    onready();
  }
  checkComplete();
</script>
</body>
</html>


Thanks.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200327/6381abe9/attachment.htm>

More information about the webkit-unassigned mailing list