Open Bug 1279406 Opened 7 years ago Updated 6 months ago

Sandboxed iframes with "allow-same-origin" should be inherited / intercepted

Categories

(Core :: DOM: Service Workers, defect, P3)

Product:
Core
Component:
DOM: Service Workers
Type:
defect

Tracking

()

People

(Reporter: asuth, Unassigned)

References

Details

(Whiteboard: btpp-backlog) 

Bug 1142727 speculatively disabled interception of sandboxed iframes regardless of attribute.  https://github.com/slightlyoff/ServiceWorker/issues/648 was raised to discuss this and the discussion eventually (after bug 1142727 landed) determined that "allow-same-origin" sandboxed iframes should be intercepted, at least AFAICT.  The last authoritative-looking comment was @jakearchibald stating "Yeah, so only allow-same-origin should be required for SW interception within a sandboxed iframe." in https://github.com/slightlyoff/ServiceWorker/issues/648#issuecomment-102119060

This seems to be consistent with the WHATWG HTML spec's treatment of "allow-same-origin" and the service worker spec does not seem to otherwise contradict.  Also, https://github.com/slightlyoff/ServiceWorker/issues/765 ("serviceworker for iframes with srcdoc") seems to assume this is already the case.

I don't believe a bug was ever spun off to correct this, and we likely didn't otherwise notice since it appears the only WPT service-worker test that involves sandbox is service-workers/cache-storage/window/sandboxes-iframes.https.html which does not involve interception.  Also, http://searchfox.org/mozilla-central/source/dom/workers/test/serviceworkers/test_sandbox_intercept.html from bug 1142727 continues to require bug 1142727's behavior.
Do we support IDB in these sandboxes?  I thought this decision might have been part of blocking IDB.

Otherwise, I agree.
IDB seems happy in a sandbox="allow-scripts allow-same-origin" with a script that's loaded from the same origin and default network.cookie.cookieBehavior, yes.  We don't seem to have tests to this end, although I do know (at least Gecko's) IDB does take third-party iframes very seriously.
Whiteboard: btpp-backlog
Priority: -- → P3
In https://github.com/whatwg/html/pull/2809#issuecomment-401993230 :bkelly has identified https://searchfox.org/mozilla-central/rev/97d488a17a848ce3bebbfc83dc916cf20b88451c/docshell/base/nsDocShell.cpp#13815 as the likely line of code to be updated now that we've done other cleanup.
Summary: Sandboxed iframes with "allow-same-origin" should be intercepted → Sandboxed iframes with "allow-same-origin" should be inherited / intercepted
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.