Status

()

Core
DOM: Security
P3
enhancement
RESOLVED DUPLICATE of bug 1190641
2 years ago
2 years ago

People

(Reporter: c2296142, Unassigned)

Tracking

({testcase})

46 Branch
testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog1])

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Build ID: 20160502172042

Steps to reproduce:

Create an external page (on domain), and internal (on hdd), containing iframes for testing. One such iframe linked to a file, with a script, containing a simple alert (modal).
Iframes contained sandbox tag, with allow-script extented


Actual results:

The modal fired, and the main window got the alert.


Expected results:

No modal should have been fired, due to the allow-modal flag not set on the sandbox. Bad implementation of the standard. (See chromes handling, for intended compared to the standard)
(Reporter)

Updated

2 years ago
Component: Untriaged → Security

Comment 1

2 years ago
Could you attach a testcase, please.
Flags: needinfo?(c2296142)
Keywords: testcase-wanted
(Reporter)

Comment 2

2 years ago
http://larpg.dk/backend/testing/

Click "test2" on the middle frame, to trigger alerts
Test doesn't work, as iframes seems to block <a href='javascript:FunctionName();'> executions in firefox

--- Code triggering alerts
function testGetPost(){
 var jqxhr = $.post( "http://example.com", function() {
  alert( "success" );
})
  .done(function() {
    alert( "second success" );
  })
  .fail(function() {
    alert( "error" );
  })
  .always(function() {
    alert( "finished" );
}); 
$( "#success" ).load( "http://example.com", function( response, status, xhr ) {
  if ( status == "error" ) {
    var msg = "Sorry but there was an error: ";
    alert( msg + xhr.status + " " + xhr.statusText );
  }else{
  	alert("all good");
  }
});
}//testGetPost();
(Reporter)

Comment 3

2 years ago
(In reply to Loic from comment #1)
> Could you attach a testcase, please.

Forgot mark. 
Additionally, the iframes is created by

<iframe sandbox="allow-scripts" src="http://larpg.dk/backend/testing/index2.php" id="targetFrame2" name="damn" title="damn2"></iframe>
	<iframe sandbox="allow-scripts" src="http://larpg.dk/backend/testing/index3.php" id="targetFrame3" name="damn" title="damn2"></iframe>
	

The purpose of the page is to find strenghts/flaws of iframes, before implementation.
Flags: needinfo?(c2296142)

Updated

2 years ago
Component: Security → Security
Keywords: testcase-wanted → testcase
Product: Firefox → Core

Updated

2 years ago
Component: Security → DOM: Security
(In reply to c2296142 from comment #0)
> Bad implementation of the standard. (See chromes handling, for
> intended compared to the standard)

Which standard? We implemented http://w3c.github.io/html/semantics-embedded-content.html#element-attrdef-iframe-sandbox which does not have "allow-modals".

There are proposed extensions in the whatwg version, https://html.spec.whatwg.org/multipage/embedded-content.html#attr-iframe-sandbox

We in fact have implemented those, they just haven't shipped in a release version yet.
Severity: normal → enhancement
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Priority: -- → P3
Resolution: --- → DUPLICATE
Whiteboard: [domsecurity-backlog1]
Duplicate of bug: 1190641
You need to log in before you can comment on or make changes to this bug.