Bug 215589

Summary: Sandboxed iframes don't fire DOMContentLoaded
Product: WebKit Reporter: Matt Bierner <matb>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: bfulgham, cdumez, me, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Safari 13   
Hardware: Mac   
OS: macOS 10.15   
See Also: https://bugs.webkit.org/show_bug.cgi?id=33604
https://bugs.webkit.org/show_bug.cgi?id=209653
https://bugs.webkit.org/show_bug.cgi?id=276467
Attachments:
Description Flags
Example test case none

Matt Bierner
Reported 2020-08-17 15:24:05 PDT
Created attachment 406747 [details] Example test case Sandboxed iframes that do not set `allow-scripts` do not seem to fire `DOMContentLoaded`. Here's a quick example const iframe = document.createElement('iframe') iframe.setAttribute('sandbox', 'allow-same-origin') iframe.src = './other' document.body.append(iframe) iframe.contentWindow.addEventListener('DOMContentLoaded', () => { console.log('loaded'); }); The event is fired if the iframe is not sandboxed or if `allow-scripts` is included in the sandbox. The sandboxed iframe does fire events in Chrome and Firefox. This is similar to https://bugs.webkit.org/show_bug.cgi?id=33604 but for sandboxed iframes
Attachments
Example test case (751 bytes, application/zip)
2020-08-17 15:24 PDT, Matt Bierner 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Matt Bierner
Comment 1 2020-08-17 15:25:48 PDT
The same also seems to happen for the `load` event.
Radar WebKit Bug Importer
Comment 2 2020-08-18 09:57:26 PDT
<rdar://problem/67334351>
Alexey Proskuryakov
Comment 3 2022-08-24 10:06:54 PDT
This continues to behave as reported. Chrome says "Blocked script execution" in console, but the event actually gets dispatched. Seems pretty bad, as there is no reasonable way to detect that a sandboxed frame is done loading in WebKit, so this just prompts authors to add otherwise unnecessary allow-scripts.
Note You need to log in before you can comment on or make changes to this bug.