Closed Bug 1273141 Opened 9 years ago Closed 8 years ago

iframe sandbox modal

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Version:
46 Branch
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1190641

People

(Reporter: c2296142, Unassigned)

Details

(Keywords: testcase, Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 Build ID: 20160502172042 Steps to reproduce: Create an external page (on domain), and internal (on hdd), containing iframes for testing. One such iframe linked to a file, with a script, containing a simple alert (modal). Iframes contained sandbox tag, with allow-script extented Actual results: The modal fired, and the main window got the alert. Expected results: No modal should have been fired, due to the allow-modal flag not set on the sandbox. Bad implementation of the standard. (See chromes handling, for intended compared to the standard)
Component: Untriaged → Security
Could you attach a testcase, please.
Flags: needinfo?(c2296142)
Keywords: testcase-wanted
http://larpg.dk/backend/testing/ Click "test2" on the middle frame, to trigger alerts Test doesn't work, as iframes seems to block <a href='javascript:FunctionName();'> executions in firefox --- Code triggering alerts function testGetPost(){ var jqxhr = $.post( "http://example.com", function() { alert( "success" ); }) .done(function() { alert( "second success" ); }) .fail(function() { alert( "error" ); }) .always(function() { alert( "finished" ); }); $( "#success" ).load( "http://example.com", function( response, status, xhr ) { if ( status == "error" ) { var msg = "Sorry but there was an error: "; alert( msg + xhr.status + " " + xhr.statusText ); }else{ alert("all good"); } }); }//testGetPost();
(In reply to Loic from comment #1) > Could you attach a testcase, please. Forgot mark. Additionally, the iframes is created by <iframe sandbox="allow-scripts" src="http://larpg.dk/backend/testing/index2.php" id="targetFrame2" name="damn" title="damn2"></iframe> <iframe sandbox="allow-scripts" src="http://larpg.dk/backend/testing/index3.php" id="targetFrame3" name="damn" title="damn2"></iframe> The purpose of the page is to find strenghts/flaws of iframes, before implementation.
Flags: needinfo?(c2296142)
Keywords: testcase-wantedtestcase
Product: Firefox → Core
Component: Security → DOM: Security
(In reply to c2296142 from comment #0) > Bad implementation of the standard. (See chromes handling, for > intended compared to the standard) Which standard? We implemented http://w3c.github.io/html/semantics-embedded-content.html#element-attrdef-iframe-sandbox which does not have "allow-modals". There are proposed extensions in the whatwg version, https://html.spec.whatwg.org/multipage/embedded-content.html#attr-iframe-sandbox We in fact have implemented those, they just haven't shipped in a release version yet.
Severity: normal → enhancement
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Priority: -- → P3
Resolution: --- → DUPLICATE
Whiteboard: [domsecurity-backlog1]
You need to log in before you can comment on or make changes to this bug.