209653 2020-03-27 09:01:20 -0700 events from sandboxed iframe (allow-same-origin) not firing 2026-01-12 09:09:15 -0800 1 1 1 Unclassified WebKit DOM Safari 13 Unspecified All NEW https://bugs.webkit.org/show_bug.cgi?id=215589 BrowserCompat, InRadar P2 Normal --- 1 frisou76 webkit-unassigned ahmad.saleem792 ap bfulgham cdumez graouts handtrix matb me rniwa webkit-bug-importer oldest_to_newest 1634815 0 frisou76 2020-03-27 09:01:20 -0700 Hi. Version: - tested on gnome web (13.0 / ubuntu 18.04 x86_64) - tested on virtual safari 13.0.2 (via browser stack) Description: Sandboxed iframe with parameter sandbox="allow-same-origin" does not fire events (any kind: onload, onclick,...), and message "Blocked script execution in '...' because the document's frame is sandboxed and the 'allow-scripts' permission is not set." is displayed in console. Awaited: Scripts inside the iframe must not be executed, but parent script functions attached to iframe content events should be executed, since they are trusted. Other browsers: Works in Firefox, Chromium, IE, Edge Steps to reproduce: 1) Create an iframe by script with parameter sandbox="allow-same-origin" 2) Populate iframe by script with untrusted content 3) Attach iframe event like onload / onreadystatechange / onclick to a function Code sample: <html> <head> </head> <body> <script> var iframe = document.createElement('iframe'); iframe.setAttribute('sandbox', 'allow-same-origin allow-modals'); //allow-modals is set because we use alert in button.onclick function that, however, shall not be launched iframe.style.width = iframe.style.height = "100%"; document.body.appendChild(iframe); var idocument = iframe.contentWindow.document; var onready = idocument.onreadystatechange = function(){ if (idocument.readyState == 'complete') { idocument.querySelector('button').addEventListener('click', function(ev){ alert('This script is trusted :-)'); }, false) } } idocument.write('<head></head><body><button onclick="alert(\'This script is UNTRUSTED :-(\')">click Me</button></body>'); try{ idocument.close() }catch(er){ } // as a first workaround for webkit, let's set up a loop to check readyState function checkComplete(){ if (idocument.readyState != 'complete') return setTimeout(checkComplete, 100); onready(); } checkComplete(); </script> </body> </html> Thanks. 1635053 1 webkit-bug-importer 2020-03-27 16:50:33 -0700 <rdar://problem/60990768> 1894524 2 ahmad.saleem792 2022-08-29 07:26:07 -0700 I am able to reproduce this bug in Safari Technology Preview 152 on macOS 12.5.1 using test case from Comment 01 turned into JSFiddle: Link - https://jsfiddle.net/yp7fxow8/ When I click "Click Me", it does not show anything while in case of other browsers (Chrome Canary 107 and Firefox Nightly 106), it shows "This script is trusted :-)". Just wanted to share updated testing results. Thanks! 1918519 3 handtrix 2022-12-12 09:58:13 -0800 The issue is still present in Safari Release 159 (Safari 16.4, WebKit 18615.1.12.130.1) 😢