(Thank you Firefox developers for all your hard work! The world needs Firefox.) I believe the following is an XSS vulnerability present in the current release channel. By specifying target="blank" you can execute javascript in the domain of a sandboxed iframe, even though allow-scripts is not specified. This behavior is blocked by Edge, Chrome, and Safari. Demo: https://emcmanus.github.io/xss.html Expected result: * Sandboxed iframes should not execute JS unless `allow-scripts` is specified * Firefox should block the `javascript:` uri * Firefox behavior should match other browsers Actual result: * Javascript runs in the current domain, even though `allow-scripts` is not specified * Edge, Safari and Chrome block this behavior * It does not matter whether you use src or srcdoc I believe a related bug was patched in Firefox 79: https://www.mozilla.org/en-US/security/advisories/mfsa2020-30/#0 Here is the source of the demo: <!DOCTYPE html> <html> <head> <meta http-equiv='content-type' content='text/html; charset=UTF-8'> </head> <body> <iframe sandbox="allow-same-origin allow-popups" srcdoc="<a href="javascript:alert(document.domain)" target="_blank">click me</a>"></iframe> </body> </html>
Bug 1744352 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(Thank you Firefox developers for all your hard work! The world needs Firefox.) I believe the following is an XSS vulnerability present in the current release channel. By specifying target="blank" you can execute javascript in the domain of a sandboxed iframe, even though allow-scripts is not specified. This behavior is blocked by Edge, Chrome, and Safari. Demo: https://emcmanus.github.io/xss.html Expected result: * Sandboxed iframes should not execute JS unless `allow-scripts` is specified * Firefox should block the `javascript:` uri * Firefox behavior should match other browsers Actual result: * Javascript runs in the current domain, even though `allow-scripts` is not specified * Edge, Safari and Chrome block this behavior * It does not matter whether you use src or srcdoc I believe a related bug was patched in Firefox 79: https://www.mozilla.org/en-US/security/advisories/mfsa2020-30/#0 Here is the source of the demo: ```html <!DOCTYPE html> <html> <head> <meta http-equiv='content-type' content='text/html; charset=UTF-8'> </head> <body> <iframe sandbox="allow-same-origin allow-popups" srcdoc="<a href="javascript:alert(document.domain)" target="_blank">click me</a>"></iframe> </body> </html> ```