User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36 Steps to reproduce: 1. Go to https://test.shhnjk.com/sandbox.php?url=/xssable.php?x=%3Ca%20href=%27data:text/html,%3Cscript%3Ealert(1)%3C/script%3E%27%3Ego%3C/a%3E 2. Ctrl+click the link inside iframe sandbox Actual results: script executes on opened tab. Expected results: Link in sandboxed iframe should not open new tab unless allow-popups is specified. Further more, opened tab should not execute script unless original sandbox has allow-scripts.
The link in comment #0 produces a 500 error on my machine. Can you attach a testcase instead?
<iframe sandbox src="data:text/html,<script>alert(1)</script>">
Sorry, this is the right repro. <iframe sandbox src="data:text/html,<a href='data:text/html,<script>alert(1)</script>'>test</a>">
(In reply to s.h.h.n.j.k from comment #2) > <iframe sandbox src="data:text/html,<script>alert(1)</script>"> I assume you mean something like: data:text/html,%3Ciframe sandbox src%3D"data%3Atext%2Fhtml%2C%3Ca href%3D'data%3Atext%2Fhtml%2C%3Cscript%3Ealert(1)%3C%2Fscript%3E'%3EClick%3C%2Fa%3E"%3E This alerts if and only if the user ctrl-clicks. I'm pretty sure this is a deliberate decision to allow users to open links in new tabs with accel-click (or mouse middle click, or the context menu), and that will break the sandbox inheritance deliberately. Dan?
Yeah, ditto if the user right-clicks on the frame and chooses an option like "show only this frame" or "open frame in new window" -- those won't be sandboxed. This is in part why CSP now supports a sandbox directive, so that content a site considers potentially dangerous that ends up loaded out of an iframe context can still be sandboxed. We can argue whether this is or isn't a valid interpretation of honoring user agency vs. the spec, but it's intentional and doesn't need to be hidden.
Note Chrome and Safari have made the same choice we did to honor the user action of Control-click without inheriting the sandbox.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
I can not repro this in Chrome.
(In reply to s.h.h.n.j.k from comment #7) > I can not repro this in Chrome. I just tested, and with the testcase from comment #4 on OS X with Chrome Version 55.0.2883.95 (64-bit), opening that testcase, command(ie apple)-clicking the link shows an alert box for me...
You need to log in before you can comment on or make changes to this bug.