215589 2020-08-17 15:24:05 -0700 Sandboxed iframes don't fire DOMContentLoaded 2025-12-04 05:49:06 -0800 1 1 1 Unclassified WebKit DOM Safari 13 Mac macOS 10.15 NEW https://bugs.webkit.org/show_bug.cgi?id=33604 https://bugs.webkit.org/show_bug.cgi?id=209653 https://bugs.webkit.org/show_bug.cgi?id=276467 InRadar P2 Normal --- 1 matb webkit-unassigned bfulgham cdumez me webkit-bug-importer wilander oldest_to_newest 1680943 0 406747 matb 2020-08-17 15:24:05 -0700 Created attachment 406747 Example test case Sandboxed iframes that do not set `allow-scripts` do not seem to fire `DOMContentLoaded`. Here's a quick example const iframe = document.createElement('iframe') iframe.setAttribute('sandbox', 'allow-same-origin') iframe.src = './other' document.body.append(iframe) iframe.contentWindow.addEventListener('DOMContentLoaded', () => { console.log('loaded'); }); The event is fired if the iframe is not sandboxed or if `allow-scripts` is included in the sandbox. The sandboxed iframe does fire events in Chrome and Firefox. This is similar to https://bugs.webkit.org/show_bug.cgi?id=33604 but for sandboxed iframes 1680946 1 matb 2020-08-17 15:25:48 -0700 The same also seems to happen for the `load` event. 1681109 2 webkit-bug-importer 2020-08-18 09:57:26 -0700 <rdar://problem/67334351> 1893499 3 ap 2022-08-24 10:06:54 -0700 This continues to behave as reported. Chrome says "Blocked script execution" in console, but the event actually gets dispatched. Seems pretty bad, as there is no reasonable way to detect that a sandboxed frame is done loading in WebKit, so this just prompts authors to add otherwise unnecessary allow-scripts. 406747 2020-08-17 15:24:05 -0700 2020-08-17 15:24:05 -0700 Example test case example.zip application/zip 751 matb UEsDBBQACAAIAId6EVEAAAAAAAAAAM4BAAAKACAAaW5kZXguaHRtbFVUDQAHnwI7X7QCO1+fAjtf dXgLAAEE9QEAAAQUAAAAZVHBTsQgFLz3K7AX2sS2VxNpE7OtpzXrYY3xyMKzJaHQwFtXY/x3IXR7 UC4w7808hoHd9Ifd8e15IBPOustY3IjmZmxzMHmXhQpw2WUkLDYDciIm7jxgm78cH6u7fG2hQg1d b8V5BoOsSThjTZJn7GTl18r1wqkFE4hLWOORqHfHZyAtkeuQWjjgCIOGiAqaCLTMNmGq1MHNA6JT pzNCQT038mQ/6S2hXGt7qXzgVNapUZkg/qt1IlxJ68biBI5u7c1E9F3zZQEji6T5byA8AAP3VRlp LzWXcvgIcK98qIIraH942iXK3nIJMngrStJ25HubdM3Baqi1HQuqE7O83yg/65k11wBZk1KNMcfv +wVQSwcIuMU07RABAADOAQAAUEsDBBQACAAIAKJ5EVEAAAAAAAAAAIcAAAAKACAAb3RoZXIuaHRt bFVUDQAH8AA7X/gAO1/wADtfdXgLAAEE9QEAAAQUAAAAs1F08XcOiQxwVcgoyc2x47IBUQo5iXnp tkqpeUoggdTEFDsuBSCwyU0tSVRIzkgsKk4tsVUKDXHTtVCCSpVkluSk2rnkJ5fmpuaV2OhD+Fw2 +hDtNkn5KZUQpf4lGalFQAmICFAByF4AUEsHCIzdwTNpAAAAhwAAAFBLAQIUAxQACAAIAId6EVG4 xTTtEAEAAM4BAAAKACAAAAAAAAAAAACkgQAAAABpbmRleC5odG1sVVQNAAefAjtftAI7X58CO191 eAsAAQT1AQAABBQAAABQSwECFAMUAAgACACieRFRjN3BM2kAAACHAAAACgAgAAAAAAAAAAAApIFo AQAAb3RoZXIuaHRtbFVUDQAH8AA7X/gAO1/wADtfdXgLAAEE9QEAAAQUAAAAUEsFBgAAAAACAAIA sAAAACkCAAAAAA==