Closed Bug 1287885 Opened 8 years ago Closed 8 years ago

window.alert not being restricted by iframe sandbox

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
47 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1190641

People

(Reporter: jpmunz, Unassigned)

Details

Attachments

(1 file)

test.html
157 bytes, text/html
Details
Attached file test.html 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160623154057

Steps to reproduce:

Open the attached html file in FF 47.0.1 and click the X button


Actual results:

An alert popup is shown


Expected results:

Since the iframe that triggered the popup has 'sandbox="allow-scripts"' the action shouldn't have been allowed. From https://developer.mozilla.org/en/docs/Web/HTML/Element/iframe#attr-sandbox this should only be allowed if 'sandbox="allow-scripts allow-modals"'
Component: Untriaged → DOM: Security
Product: Firefox → Core
As shown in the compatibility section at the bottom of that MDN page, allow-modals wasn't added until Firefox 49. You can test this in our current "Dev Edition". This probably ought to be a dupe of the bug that implemented the feature, but I'm too lazy to look that up right now so I'll mark it worksforme.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
Resolution: WORKSFORME → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: