Bug 218086

Summary:	Same domain sandboxed iframe events blocked from parent listener without allow-scripts
Product:	WebKit	Reporter:	Caleb Cordry <ccordry>
Component:	Frames	Assignee:	Nobody <webkit-unassigned>
Status:	NEW
Severity:	Normal	CC:	bfulgham, opendarwin, phil, r89534217610, smoley, webkit-bug-importer, youennf
Priority:	P2	Keywords:	InRadar
Version:	Safari 14
Hardware:	All
OS:	macOS 10.15

Caleb Cordry

Reported 2020-10-22 09:59:25 PDT

If a same domain iframe is created using `srcdoc` with `sandbox=allow-same-origin` and an event listener is created from the parent page e.g. const img = iframe.contentDocument.querySelector('img'); img.addEventListener('click', callback) The event will be blocked in Safari with the error `Blocked script execution in 'about:srcdoc' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.` In other modern browsers the event will be received by the parent page. Adding 'allow-scripts' will allow the parent to receive the event. We believe according to the spec https://html.spec.whatwg.org/multipage/webappapis.html#sandboxScriptBlocked these events should not be blocked as they execute in the parent window and not the sandboxed iframe window. You can find a demo at: https://sandboxed-listener.glitch.me/

Attachments
Add attachment proposed patch, testcase, etc.

Smoley

Comment 1 2020-10-22 10:55:29 PDT

Thanks for filing, I can reproduce this on Safari 12.1.2 as well as Safari Beta version 14.0.1 using the linked test case.

Radar WebKit Bug Importer

Comment 2 2020-10-22 10:55:45 PDT

<rdar://problem/70580282>

Smoley

Comment 3 2021-02-05 18:06:30 PST

*** Bug 221283 has been marked as a duplicate of this bug. ***

Phil Freo

Comment 4 2022-07-25 11:00:25 PDT

This bug also exists in Safari Version 15.5. This bug has a negative affect on web security because Safari's behavior means it's harder for developers to utilize sandboxed iframes to block scripts from within the iframe, if the external page still needs any scripting control.

Comment 5 2025-02-09 04:50:33 PST

It is still present on the latest iOS and really undermines the security when working with iframes. Current workaround if you're using `srcdoc` is prepending CSP meta tag to block script executions: ```html <meta http-equiv="Content-Security-Policy" content="script-src 'none';"> ```

Note You need to log in before you can comment on or make changes to this bug.