Sandboxed iframes with "allow-same-origin" should be inherited / intercepted




2 years ago
a month ago


(Reporter: asuth, Unassigned)


Firefox Tracking Flags

(Not tracked)


(Whiteboard: btpp-backlog)



2 years ago
Bug 1142727 speculatively disabled interception of sandboxed iframes regardless of attribute. was raised to discuss this and the discussion eventually (after bug 1142727 landed) determined that "allow-same-origin" sandboxed iframes should be intercepted, at least AFAICT.  The last authoritative-looking comment was @jakearchibald stating "Yeah, so only allow-same-origin should be required for SW interception within a sandboxed iframe." in

This seems to be consistent with the WHATWG HTML spec's treatment of "allow-same-origin" and the service worker spec does not seem to otherwise contradict.  Also, ("serviceworker for iframes with srcdoc") seems to assume this is already the case.

I don't believe a bug was ever spun off to correct this, and we likely didn't otherwise notice since it appears the only WPT service-worker test that involves sandbox is service-workers/cache-storage/window/sandboxes-iframes.https.html which does not involve interception.  Also, from bug 1142727 continues to require bug 1142727's behavior.
Do we support IDB in these sandboxes?  I thought this decision might have been part of blocking IDB.

Otherwise, I agree.

Comment 2

2 years ago
IDB seems happy in a sandbox="allow-scripts allow-same-origin" with a script that's loaded from the same origin and default network.cookie.cookieBehavior, yes.  We don't seem to have tests to this end, although I do know (at least Gecko's) IDB does take third-party iframes very seriously.
Whiteboard: btpp-backlog


11 months ago
Priority: -- → P3

Comment 3

a month ago
In :bkelly has identified as the likely line of code to be updated now that we've done other cleanup.
Summary: Sandboxed iframes with "allow-same-origin" should be intercepted → Sandboxed iframes with "allow-same-origin" should be inherited / intercepted
You need to log in before you can comment on or make changes to this bug.