Closed Bug 1082846 Opened 11 years ago Closed 11 years ago

embedded links with target=_blank within iframes with sandbox = "allow-popups allow-scripts" don't load scripts when they open in a new tab.

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
32 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1037381

People

(Reporter: proteusvacuum, Unassigned)

Details

(Keywords: testcase)

Attachments

(1 file)

index.html (reporter's testcase)
307 bytes, text/html
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0 Build ID: 20140923175406 Steps to reproduce: Create 2 pages with the following markup, saved in the same directory: index.html: <html> <body> <h1>Test!</h1> <iframe src="./frame.html" frameborder="0" sandbox="allow-popups allow-scripts"></iframe> </body> </html> frame.html: <html> <body> <h2>Frame!</h2> <a href="https://www.humblebundle.com/" target="_blank">Link</a> </body> </html> Visit index.html in firefox 32. Click the link. Actual results: The external page loads in a new tab, as expected. However, none of the javascripts are loaded / executed, so the site is unusable (this is the case with any link in the place of humblebundle. Expected results: I think that the page referred to in the link should have loaded with all of its javascripts. (In Chrome 38, the external page loads as I would expect: with all of the javascripts).
Component: Untriaged → Security
Keywords: testcase
Product: Firefox → Core
Chrome has a known bug in its handling of sandbox="allow-popups". See bug 1037381 comment 1 for a description of what the spec says in this situation. Per spec, the result of clicking the link in your testcase is to open https://www.humblebundle.com/ with the sandbox flags generated by sandbox="allow-popups allow-scripts". In other words, the behavior must be exactly the same as doing: <iframe sandbox="allow-popups allow-scripts" src="https://www.humblebundle.com/"></iframe> If you do that in either Chrome or Firefox with the site you mention, it doesn't so much work, because its scripts (which do in fact get loaded and executed), throw a bunch of exceptions because they're running sandboxed. So I think all that's going on here is the security bug in Chrome and incorrect expectations for how sandboxed iframes should behave...
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Thanks for the clarification, and sorry for posting a duplicate. I have seen a few sites that are therefore using the iframe in an incorrect manner (taking advantage of the security bug, I suppose), I will let them know of this.
Thank you for doing that!
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: