Open Bug 1279406 Opened 6 years ago Updated 4 years ago
Sandboxed iframes with "allow-same-origin" should be inherited / intercepted
Bug 1142727 speculatively disabled interception of sandboxed iframes regardless of attribute. https://github.com/slightlyoff/ServiceWorker/issues/648 was raised to discuss this and the discussion eventually (after bug 1142727 landed) determined that "allow-same-origin" sandboxed iframes should be intercepted, at least AFAICT. The last authoritative-looking comment was @jakearchibald stating "Yeah, so only allow-same-origin should be required for SW interception within a sandboxed iframe." in https://github.com/slightlyoff/ServiceWorker/issues/648#issuecomment-102119060 This seems to be consistent with the WHATWG HTML spec's treatment of "allow-same-origin" and the service worker spec does not seem to otherwise contradict. Also, https://github.com/slightlyoff/ServiceWorker/issues/765 ("serviceworker for iframes with srcdoc") seems to assume this is already the case. I don't believe a bug was ever spun off to correct this, and we likely didn't otherwise notice since it appears the only WPT service-worker test that involves sandbox is service-workers/cache-storage/window/sandboxes-iframes.https.html which does not involve interception. Also, http://searchfox.org/mozilla-central/source/dom/workers/test/serviceworkers/test_sandbox_intercept.html from bug 1142727 continues to require bug 1142727's behavior.
Do we support IDB in these sandboxes? I thought this decision might have been part of blocking IDB. Otherwise, I agree.
IDB seems happy in a sandbox="allow-scripts allow-same-origin" with a script that's loaded from the same origin and default network.cookie.cookieBehavior, yes. We don't seem to have tests to this end, although I do know (at least Gecko's) IDB does take third-party iframes very seriously.
In https://github.com/whatwg/html/pull/2809#issuecomment-401993230 :bkelly has identified https://searchfox.org/mozilla-central/rev/97d488a17a848ce3bebbfc83dc916cf20b88451c/docshell/base/nsDocShell.cpp#13815 as the likely line of code to be updated now that we've done other cleanup.
Summary: Sandboxed iframes with "allow-same-origin" should be intercepted → Sandboxed iframes with "allow-same-origin" should be inherited / intercepted
You need to log in before you can comment on or make changes to this bug.