Closed Bug 1216480 Opened 9 years ago Closed 8 years ago

block dialogs from confirm(), print(), etc. in iframe[sandbox]

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1190641

People

(Reporter: freddy, Unassigned)

Details

(Whiteboard: [domsecurity-backlog])

Frederik Braun [:freddy]

Reporter

Description

•

9 years ago

Let's disallow opening modal dialogs from sandboxed iframes by default. Chrome and Edge already do this.

This should include
* `alert()`
* `confirm()`
* `prompt`
* `print()`
* `showModalDialog()`
* `beforeunload`
and possibly more?

Tanvi Vyas[:tanvi]

Comment 1

•

8 years ago

Is this in the spec?  Should it be?

Flags: needinfo?(fbraun)

Christoph Kerschbaumer [:ckerschb]

Updated

•

8 years ago

Whiteboard: [domsecurity-backlog]

Mike West

Comment 2

•

8 years ago

WHATWG added it to HTML, yes: https://html.spec.whatwg.org/multipage/browsers.html#sandboxed-modals-flag. That's trickled down into the W3C version as well: https://w3c.github.io/html/browsers.html#sandboxed-modals-flag.

Tanvi Vyas[:tanvi]

Comment 3

•

8 years ago

(In reply to Tanvi Vyas [:tanvi] from comment #1)
> Is this in the spec?  Should it be?

Thanks Mike!  Removing freddy's needinfo.

Flags: needinfo?(fbraun)

Bob Owen (:bobowen)

Comment 4

•

8 years ago

Looks like bz is picking this up in bug 1190641.

Status: NEW → RESOLVED

Closed: 8 years ago

Resolution: --- → DUPLICATE

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

block dialogs from confirm(), print(), etc. in iframe[sandbox]

Categories

(Core :: DOM: Security, defect)

Tracking

()

People

(Reporter: freddy, Unassigned)

References

Details

(Whiteboard: [domsecurity-backlog])

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated

Comment 2

Comment 3

Comment 4