Closed Bug 1273141 Opened 8 years ago Closed 8 years ago

iframe sandbox modal

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Version:
46 Branch
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1190641

People

(Reporter: c2296142, Unassigned)

Details

(Keywords: testcase, Whiteboard: [domsecurity-backlog1]) 

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Build ID: 20160502172042

Steps to reproduce:

Create an external page (on domain), and internal (on hdd), containing iframes for testing. One such iframe linked to a file, with a script, containing a simple alert (modal).
Iframes contained sandbox tag, with allow-script extented


Actual results:

The modal fired, and the main window got the alert.


Expected results:

No modal should have been fired, due to the allow-modal flag not set on the sandbox. Bad implementation of the standard. (See chromes handling, for intended compared to the standard)
Component: Untriaged → Security
Could you attach a testcase, please.
Flags: needinfo?(c2296142)
Keywords: testcase-wanted
http://larpg.dk/backend/testing/

Click "test2" on the middle frame, to trigger alerts
Test doesn't work, as iframes seems to block <a href='javascript:FunctionName();'> executions in firefox

--- Code triggering alerts
function testGetPost(){
 var jqxhr = $.post( "http://example.com", function() {
  alert( "success" );
})
  .done(function() {
    alert( "second success" );
  })
  .fail(function() {
    alert( "error" );
  })
  .always(function() {
    alert( "finished" );
}); 
$( "#success" ).load( "http://example.com", function( response, status, xhr ) {
  if ( status == "error" ) {
    var msg = "Sorry but there was an error: ";
    alert( msg + xhr.status + " " + xhr.statusText );
  }else{
  	alert("all good");
  }
});
}//testGetPost();
(In reply to Loic from comment #1)
> Could you attach a testcase, please.

Forgot mark. 
Additionally, the iframes is created by

<iframe sandbox="allow-scripts" src="http://larpg.dk/backend/testing/index2.php" id="targetFrame2" name="damn" title="damn2"></iframe>
	<iframe sandbox="allow-scripts" src="http://larpg.dk/backend/testing/index3.php" id="targetFrame3" name="damn" title="damn2"></iframe>
	

The purpose of the page is to find strenghts/flaws of iframes, before implementation.
Flags: needinfo?(c2296142)
Keywords: testcase-wantedtestcase
Product: Firefox → Core
Component: Security → DOM: Security
(In reply to c2296142 from comment #0)
> Bad implementation of the standard. (See chromes handling, for
> intended compared to the standard)

Which standard? We implemented http://w3c.github.io/html/semantics-embedded-content.html#element-attrdef-iframe-sandbox which does not have "allow-modals".

There are proposed extensions in the whatwg version, https://html.spec.whatwg.org/multipage/embedded-content.html#attr-iframe-sandbox

We in fact have implemented those, they just haven't shipped in a release version yet.
Severity: normal → enhancement
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Priority: -- → P3
Resolution: --- → DUPLICATE
Whiteboard: [domsecurity-backlog1]
You need to log in before you can comment on or make changes to this bug.