This does seem to be mitigated (i.e. I can't repro) if the iframe is cross-origin, FWIW. e.g. (1) if I take the `srdoc=...` attribute contents of testcase 3 and put them in a separate file called `iframe.html` and serve them over HTTP using e.g. `python2 -m SimpleHTTPServer` and then load the testcase as a file:/// URL (but with `<iframe src="http://localhost:8000/iframe.html">`), then the whole iframe ends up red, but none of the red leaks out into the outer page. (2) If I repeat the process with both pages served over HTTP from different hosts, then I similarly don't see any red leaking out beyond the frame. (3) If I serve both pages over http from the same host using different port numbers, then the red leaks out. (I had assumed it wouldn't since I thought port-number-differences made something cross-origin, but there's probably some subtlety I'm forgetting there...)
Bug 1799036 Comment 10 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
This does seem to be mitigated (i.e. I can't repro) if the iframe is truly cross-origin and hence out-of-process, FWIW. e.g. (1) if I take the `srdoc=...` attribute contents of testcase 3 and put them in a separate file called `iframe.html` and serve them over HTTP using e.g. `python2 -m SimpleHTTPServer` and then load the testcase as a file:/// URL (but with `<iframe src="http://localhost:8000/iframe.html">`), then the whole iframe ends up red, but none of the red leaks out into the outer page. (2) If I repeat the process with both pages served over HTTP from different hosts, then I similarly don't see any red leaking out beyond the frame. (3) If I serve both pages over http from the same host using different port numbers, then the red leaks out. (I had assumed it wouldn't since I thought port-number-differences made something cross-origin, but there's probably some subtlety I'm forgetting there... Maybe we share the same process for port numbers on the same host in some cases, or something?)
This does seem to be mitigated (i.e. I can't repro) if the iframe is truly cross-origin and hence out-of-process, FWIW. e.g. (1) if I take the `srdoc=...` attribute contents of testcase 3 and put them in a separate file called `iframe.html` and serve them over HTTP using e.g. `python2 -m SimpleHTTPServer` and then load the testcase as a file:/// URL (but with `<iframe src="http://localhost:8000/iframe.html">`), then the whole iframe ends up red, but none of the red leaks out into the outer page. (2) If I repeat the process with both pages served over HTTP from different hosts, then I similarly don't see any red leaking out beyond the frame. (3) If I serve both pages over http from the same host using different port numbers, then the red leaks out. (I had assumed it wouldn't since I thought port-number-differences made something cross-origin, but there's probably some subtlety I'm forgetting there... Maybe we share the same process for cross-origin hosts that only differ by port number, or something?)