Open
Bug 1279406
Opened 9 years ago
Updated 11 months ago
Sandboxed iframes with "allow-same-origin" should be inherited / intercepted
Categories
(Core :: DOM: Service Workers, defect, P3)
Core
DOM: Service Workers
Tracking
()
ASSIGNED
People
(Reporter: asuth, Assigned: asuth)
References
Details
(Whiteboard: btpp-backlog, dom-lws-bugdash-triage)
Bug 1142727 speculatively disabled interception of sandboxed iframes regardless of attribute. https://github.com/slightlyoff/ServiceWorker/issues/648 was raised to discuss this and the discussion eventually (after bug 1142727 landed) determined that "allow-same-origin" sandboxed iframes should be intercepted, at least AFAICT. The last authoritative-looking comment was @jakearchibald stating "Yeah, so only allow-same-origin should be required for SW interception within a sandboxed iframe." in https://github.com/slightlyoff/ServiceWorker/issues/648#issuecomment-102119060
This seems to be consistent with the WHATWG HTML spec's treatment of "allow-same-origin" and the service worker spec does not seem to otherwise contradict. Also, https://github.com/slightlyoff/ServiceWorker/issues/765 ("serviceworker for iframes with srcdoc") seems to assume this is already the case.
I don't believe a bug was ever spun off to correct this, and we likely didn't otherwise notice since it appears the only WPT service-worker test that involves sandbox is service-workers/cache-storage/window/sandboxes-iframes.https.html which does not involve interception. Also, http://searchfox.org/mozilla-central/source/dom/workers/test/serviceworkers/test_sandbox_intercept.html from bug 1142727 continues to require bug 1142727's behavior.
|
||
Comment 1•9 years ago
|
||
Do we support IDB in these sandboxes? I thought this decision might have been part of blocking IDB.
Otherwise, I agree.
|
Assignee | |
Comment 2•9 years ago
|
||
IDB seems happy in a sandbox="allow-scripts allow-same-origin" with a script that's loaded from the same origin and default network.cookie.cookieBehavior, yes. We don't seem to have tests to this end, although I do know (at least Gecko's) IDB does take third-party iframes very seriously.
|
||
Updated•9 years ago
|
Whiteboard: btpp-backlog
|
||
Updated•8 years ago
|
Priority: -- → P3
|
|
Assignee | |
Comment 3•7 years ago
|
||
In https://github.com/whatwg/html/pull/2809#issuecomment-401993230 :bkelly has identified https://searchfox.org/mozilla-central/rev/97d488a17a848ce3bebbfc83dc916cf20b88451c/docshell/base/nsDocShell.cpp#13815 as the likely line of code to be updated now that we've done other cleanup.
Summary: Sandboxed iframes with "allow-same-origin" should be intercepted → Sandboxed iframes with "allow-same-origin" should be inherited / intercepted
|
||
Updated•3 years ago
|
Severity: normal → S3
|
|
Assignee | |
Updated•11 months ago
|
Assignee: nobody → bugmail
Status: NEW → ASSIGNED
|
||
Updated•11 months ago
|
Whiteboard: btpp-backlog → btpp-backlog, dom-lws-bugdash-triage
You need to log in
before you can comment on or make changes to this bug.
Description
•