Bug 231944

Summary: Use of window.alert is not allowed in different origin-domain frames despite `allow-same-origin` and `allow-modals`
Product: WebKit Reporter: yanahij531
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: cdumez
Priority: P2    
Version: Safari 15   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Video recording of error on safari 15 none

Description yanahij531 2021-10-19 03:29:55 PDT 
Created attachment 441706 [details]
Video recording of error on safari 15

Please try visiting this URL in Safari 15:

https://safari-15-cross-domain-iframe-modal-bug.glitch.me/

The page has a cross-domain iframe in it:

```
<iframe src="https://safari-15-cross-domain-iframe-modal-bug-embed.glitch.me" sandbox="allow-scripts allow-same-origin allow-modals"></iframe>
```

And the source code for that iframe embed is just:

```
<script>alert(1)</script>
```

Since I've added `sandbox="allow-scripts allow-same-origin allow-modals"` to the iframe, I believe the modals should be allowed. Instead the following error is shown in the console:

```
Use of window.alert is not allowed in different origin-domain frames
```

The other major browsers correctly allow the modal with those attributes, and this behavior of allowing modals with those sandbox flags is discussed here:

https://github.com/whatwg/html/issues/5407#issuecomment-775621443

This bug does not exist on Safari 13 or 14. Please see attached video recording.
Comment 1 Chris Dumez 2021-10-19 07:39:02 PDT 

*** This bug has been marked as a duplicate of bug 229737 ***