[Webkit-unassigned] [Bug 209653] New: events from sandboxed iframe (allow-same-origin) not firing
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Mar 27 09:01:20 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=209653
Bug ID: 209653
Summary: events from sandboxed iframe (allow-same-origin) not
firing
Product: WebKit
Version: Safari 13
Hardware: Unspecified
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: UI Events
Assignee: webkit-unassigned at lists.webkit.org
Reporter: frisou76 at yahoo.fr
Hi.
Version:
- tested on gnome web (13.0 / ubuntu 18.04 x86_64)
- tested on virtual safari 13.0.2 (via browser stack)
Description:
Sandboxed iframe with parameter sandbox="allow-same-origin" does not fire events (any kind: onload, onclick,...), and message "Blocked script execution in '...' because the document's frame is sandboxed and the 'allow-scripts' permission is not set." is displayed in console.
Awaited:
Scripts inside the iframe must not be executed, but parent script functions attached to iframe content events should be executed, since they are trusted.
Other browsers:
Works in Firefox, Chromium, IE, Edge
Steps to reproduce:
1) Create an iframe by script with parameter sandbox="allow-same-origin"
2) Populate iframe by script with untrusted content
3) Attach iframe event like onload / onreadystatechange / onclick to a function
Code sample:
<html>
<head>
</head>
<body>
<script>
var iframe = document.createElement('iframe');
iframe.setAttribute('sandbox', 'allow-same-origin allow-modals'); //allow-modals is set because we use alert in button.onclick function that, however, shall not be launched
iframe.style.width = iframe.style.height = "100%";
document.body.appendChild(iframe);
var idocument = iframe.contentWindow.document;
var onready = idocument.onreadystatechange = function(){
if (idocument.readyState == 'complete') {
idocument.querySelector('button').addEventListener('click', function(ev){
alert('This script is trusted :-)');
}, false)
}
}
idocument.write('<head></head><body><button onclick="alert(\'This script is UNTRUSTED :-(\')">click Me</button></body>');
try{
idocument.close()
}catch(er){
}
// as a first workaround for webkit, let's set up a loop to check readyState
function checkComplete(){
if (idocument.readyState != 'complete')
return setTimeout(checkComplete, 100);
onready();
}
checkComplete();
</script>
</body>
</html>
Thanks.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200327/6381abe9/attachment.htm>
More information about the webkit-unassigned
mailing list