Let's disallow opening modal dialogs from sandboxed iframes by default. Chrome and Edge already do this. This should include * `alert()` * `confirm()` * `prompt` * `print()` * `showModalDialog()` * `beforeunload` and possibly more?
Is this in the spec? Should it be?
WHATWG added it to HTML, yes: https://html.spec.whatwg.org/multipage/browsers.html#sandboxed-modals-flag. That's trickled down into the W3C version as well: https://w3c.github.io/html/browsers.html#sandboxed-modals-flag.
(In reply to Tanvi Vyas [:tanvi] from comment #1) > Is this in the spec? Should it be? Thanks Mike! Removing freddy's needinfo.
Looks like bz is picking this up in bug 1190641.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1190641
You need to log in before you can comment on or make changes to this bug.