User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 Build ID: 20160502172042 Steps to reproduce: Create an external page (on domain), and internal (on hdd), containing iframes for testing. One such iframe linked to a file, with a script, containing a simple alert (modal). Iframes contained sandbox tag, with allow-script extented Actual results: The modal fired, and the main window got the alert. Expected results: No modal should have been fired, due to the allow-modal flag not set on the sandbox. Bad implementation of the standard. (See chromes handling, for intended compared to the standard)
Could you attach a testcase, please.
(In reply to Loic from comment #1) > Could you attach a testcase, please. Forgot mark. Additionally, the iframes is created by <iframe sandbox="allow-scripts" src="http://larpg.dk/backend/testing/index2.php" id="targetFrame2" name="damn" title="damn2"></iframe> <iframe sandbox="allow-scripts" src="http://larpg.dk/backend/testing/index3.php" id="targetFrame3" name="damn" title="damn2"></iframe> The purpose of the page is to find strenghts/flaws of iframes, before implementation.
Component: Security → Security
Keywords: testcase-wanted → testcase
Product: Firefox → Core
(In reply to c2296142 from comment #0) > Bad implementation of the standard. (See chromes handling, for > intended compared to the standard) Which standard? We implemented http://w3c.github.io/html/semantics-embedded-content.html#element-attrdef-iframe-sandbox which does not have "allow-modals". There are proposed extensions in the whatwg version, https://html.spec.whatwg.org/multipage/embedded-content.html#attr-iframe-sandbox We in fact have implemented those, they just haven't shipped in a release version yet.
Severity: normal → enhancement
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Priority: -- → P3
Resolution: --- → DUPLICATE
Duplicate of bug: 1190641
You need to log in before you can comment on or make changes to this bug.