Closed Bug 1287989 Opened 3 years ago Closed 3 years ago

Required empty inputs inside sandboxed iframe do validate


(Core :: DOM: Security, defect)

Not set



Tracking Status
firefox51 --- fixed


(Reporter: Oriol, Assigned: bzbarsky)




(1 file)

Run this code in a page or in a console:

    var iframe = document.createElement('iframe');
    iframe.sandbox = 'allow-scripts';
    iframe.src = 'data:text/html,'
      + '<form onsubmit="console.log(\'wrong\'); return false">'
        + '<input required oninvalid="console.log(\'good\'); return false" />'
        + '<input type="submit" />'
      + '</form>'
      + '<script>document.querySelector("input + input").click()<\/script>';

A submit event is dispatched to the form, as if there weren't any invalid fields.

I would have expected an invalid event instead, as Chrome does.

Or, according to, no result at all.


That is, when the sandbox attribute for IFRAMEs was implemented.
This is a great report, Oriol, thanks. Moving it to DOM->Security.
Component: Untriaged → DOM: Security
Hmm.  So we do this quite purposefully.  HTMLFormElement::CheckValidFormSubmission has:

  // Don't do validation for a form submit done by a sandboxed document that
  // doesn't have 'allow-forms', the submit will have been blocked and the
  // HTML5 spec says we shouldn't validate in this case.
  nsIDocument* doc = GetComposedDoc();
  if (doc && (doc->GetSandboxFlags() & SANDBOXED_FORMS)) {
    return true;

Looking at the HTML spec, we're starting with a click on a submit input.  That lands at which has activation behavior that does

In that algorithm, step 2 aborts if the sandboxed forms flag is set.  That means there should be no "submit" event on the form, _and_ there should be no "invalid" event on the input.  As in, we should hoist the sandboxing check out of CheckValidFormSubmission and into a separate method, I think, called unconditionally.  Olli, you reviewed that code.  Do you recall why we implemented it this way, exactly?  Did the spec use to say something different?

I filed on Chrome not matching the spec here.
Flags: needinfo?(bugs)
Yes, it seems IE/Edge is the only who follows the spec.

Another strange thing is that if you have an sandboxed (without allow-forms) iframe with

    <input required />
    <input type="submit" />

and click the submit button, the invalid input does not become red.

But if you enter some text, remove it back, and click the submit button again, now the input has a red box-shadow.
The red box-shadow is due to ui-invalid styling, which is unrelated to the form submission behavior and unaffacted by whether things are sandboxed, afaict.
Assignee: nobody → bzbarsky
Flags: needinfo?(bugs)
Attachment #8776657 - Flags: review?(bugs) → review+
Pushed by
Don't try to do validation or fire submit events in iframes that are sandboxed without allow-forms.  r=smaug
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.