Open
Bug 1279406
Opened 7 years ago
Updated 6 months ago
Sandboxed iframes with "allow-same-origin" should be inherited / intercepted
Categories
(Core :: DOM: Service Workers, defect, P3)
Core
DOM: Service Workers
Tracking
()
NEW
People
(Reporter: asuth, Unassigned)
References
Details
(Whiteboard: btpp-backlog)
Bug 1142727 speculatively disabled interception of sandboxed iframes regardless of attribute. https://github.com/slightlyoff/ServiceWorker/issues/648 was raised to discuss this and the discussion eventually (after bug 1142727 landed) determined that "allow-same-origin" sandboxed iframes should be intercepted, at least AFAICT. The last authoritative-looking comment was @jakearchibald stating "Yeah, so only allow-same-origin should be required for SW interception within a sandboxed iframe." in https://github.com/slightlyoff/ServiceWorker/issues/648#issuecomment-102119060 This seems to be consistent with the WHATWG HTML spec's treatment of "allow-same-origin" and the service worker spec does not seem to otherwise contradict. Also, https://github.com/slightlyoff/ServiceWorker/issues/765 ("serviceworker for iframes with srcdoc") seems to assume this is already the case. I don't believe a bug was ever spun off to correct this, and we likely didn't otherwise notice since it appears the only WPT service-worker test that involves sandbox is service-workers/cache-storage/window/sandboxes-iframes.https.html which does not involve interception. Also, http://searchfox.org/mozilla-central/source/dom/workers/test/serviceworkers/test_sandbox_intercept.html from bug 1142727 continues to require bug 1142727's behavior.
Comment 1•7 years ago
|
||
Do we support IDB in these sandboxes? I thought this decision might have been part of blocking IDB. Otherwise, I agree.
Reporter | ||
Comment 2•7 years ago
|
||
IDB seems happy in a sandbox="allow-scripts allow-same-origin" with a script that's loaded from the same origin and default network.cookie.cookieBehavior, yes. We don't seem to have tests to this end, although I do know (at least Gecko's) IDB does take third-party iframes very seriously.
Updated•7 years ago
|
Whiteboard: btpp-backlog
Updated•6 years ago
|
Priority: -- → P3
Reporter | ||
Comment 3•5 years ago
|
||
In https://github.com/whatwg/html/pull/2809#issuecomment-401993230 :bkelly has identified https://searchfox.org/mozilla-central/rev/97d488a17a848ce3bebbfc83dc916cf20b88451c/docshell/base/nsDocShell.cpp#13815 as the likely line of code to be updated now that we've done other cleanup.
Summary: Sandboxed iframes with "allow-same-origin" should be intercepted → Sandboxed iframes with "allow-same-origin" should be inherited / intercepted
Updated•6 months ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•