[Webkit-unassigned] [Bug 218086] New: Same domain sandboxed iframe events blocked from parent listener without allow-scripts

Thu Oct 22 09:59:25 PDT 2020

https://bugs.webkit.org/show_bug.cgi?id=218086

            Bug ID: 218086
           Summary: Same domain sandboxed iframe events blocked from
                    parent listener without allow-scripts
           Product: WebKit
           Version: Safari 14
          Hardware: All
                OS: macOS 10.15
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Frames
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ccordry at google.com

If a same domain iframe is created using `srcdoc` with `sandbox=allow-same-origin` and an event listener is created from the parent page e.g.

const img = iframe.contentDocument.querySelector('img'); 
img.addEventListener('click', callback)

The event will be blocked in Safari with the error `Blocked script execution in 'about:srcdoc' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.` In other modern browsers the event will be received by the parent page. Adding 'allow-scripts' will allow the parent to receive the event.

We believe according to the spec https://html.spec.whatwg.org/multipage/webappapis.html#sandboxScriptBlocked these events should not be blocked as they execute in the parent window and not the sandboxed iframe window.

You can find a demo at: https://sandboxed-listener.glitch.me/

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201022/03743bae/attachment.htm>