block dialogs from confirm(), print(), etc. in iframe[sandbox]

RESOLVED DUPLICATE of bug 1190641

Status

()

Core
DOM: Security
RESOLVED DUPLICATE of bug 1190641
3 years ago
2 years ago

People

(Reporter: freddyb, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog])

Let's disallow opening modal dialogs from sandboxed iframes by default. Chrome and Edge already do this.

This should include
* `alert()`
* `confirm()`
* `prompt`
* `print()`
* `showModalDialog()`
* `beforeunload`
and possibly more?

Comment 1

2 years ago
Is this in the spec?  Should it be?
Flags: needinfo?(fbraun)
Whiteboard: [domsecurity-backlog]

Comment 2

2 years ago
WHATWG added it to HTML, yes: https://html.spec.whatwg.org/multipage/browsers.html#sandboxed-modals-flag. That's trickled down into the W3C version as well: https://w3c.github.io/html/browsers.html#sandboxed-modals-flag.

Comment 3

2 years ago
(In reply to Tanvi Vyas [:tanvi] from comment #1)
> Is this in the spec?  Should it be?

Thanks Mike!  Removing freddy's needinfo.
Flags: needinfo?(fbraun)

Comment 4

2 years ago
Looks like bz is picking this up in bug 1190641.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1190641
You need to log in before you can comment on or make changes to this bug.