[Webkit-unassigned] [Bug 231944] New: Use of window.alert is not allowed in different origin-domain frames despite `allow-same-origin` and `allow-modals`
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 19 03:29:55 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=231944
Bug ID: 231944
Summary: Use of window.alert is not allowed in different
origin-domain frames despite `allow-same-origin` and
`allow-modals`
Product: WebKit
Version: Safari 15
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Frames
Assignee: webkit-unassigned at lists.webkit.org
Reporter: yanahij531 at carpetd.com
Created attachment 441706
--> https://bugs.webkit.org/attachment.cgi?id=441706&action=review
Video recording of error on safari 15
Please try visiting this URL in Safari 15:
https://safari-15-cross-domain-iframe-modal-bug.glitch.me/
The page has a cross-domain iframe in it:
```
<iframe src="https://safari-15-cross-domain-iframe-modal-bug-embed.glitch.me" sandbox="allow-scripts allow-same-origin allow-modals"></iframe>
```
And the source code for that iframe embed is just:
```
<script>alert(1)</script>
```
Since I've added `sandbox="allow-scripts allow-same-origin allow-modals"` to the iframe, I believe the modals should be allowed. Instead the following error is shown in the console:
```
Use of window.alert is not allowed in different origin-domain frames
```
The other major browsers correctly allow the modal with those attributes, and this behavior of allowing modals with those sandbox flags is discussed here:
https://github.com/whatwg/html/issues/5407#issuecomment-775621443
This bug does not exist on Safari 13 or 14. Please see attached video recording.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211019/5361134b/attachment.htm>
More information about the webkit-unassigned
mailing list