Bug 209653

Hi. Version: - tested on gnome web (13.0 / ubuntu 18.04 x86_64) - tested on virtual safari 13.0.2 (via browser stack) Description: Sandboxed iframe with parameter sandbox="allow-same-origin" does not fire events (any kind: onload, onclick,...), and message "Blocked script execution in '...' because the document's frame is sandboxed and the 'allow-scripts' permission is not set." is displayed in console. Awaited: Scripts inside the iframe must not be executed, but parent script functions attached to iframe content events should be executed, since they are trusted. Other browsers: Works in Firefox, Chromium, IE, Edge Steps to reproduce: 1) Create an iframe by script with parameter sandbox="allow-same-origin" 2) Populate iframe by script with untrusted content 3) Attach iframe event like onload / onreadystatechange / onclick to a function Code sample: <html> <head> </head> <body> <script> var iframe = document.createElement('iframe'); iframe.setAttribute('sandbox', 'allow-same-origin allow-modals'); //allow-modals is set because we use alert in button.onclick function that, however, shall not be launched iframe.style.width = iframe.style.height = "100%"; document.body.appendChild(iframe); var idocument = iframe.contentWindow.document; var onready = idocument.onreadystatechange = function(){ if (idocument.readyState == 'complete') { idocument.querySelector('button').addEventListener('click', function(ev){ alert('This script is trusted :-)'); }, false) } } idocument.write('<head></head><body><button onclick="alert(\'This script is UNTRUSTED :-(\')">click Me</button></body>'); try{ idocument.close() }catch(er){ } // as a first workaround for webkit, let's set up a loop to check readyState function checkComplete(){ if (idocument.readyState != 'complete') return setTimeout(checkComplete, 100); onready(); } checkComplete(); </script> </body> </html> Thanks.