Bug 231944

Summary:

Use of window.alert is not allowed in different origin-domain frames despite `allow-same-origin` and `allow-modals`

Product:

WebKit

Reporter:

yanahij531

Component:

WebCore Misc.

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Normal

CC:

cdumez

Priority:

Version:

Safari 15

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Video recording of error on safari 15	none

yanahij531

Reported 2021-10-19 03:29:55 PDT

Created attachment 441706 [details] Video recording of error on safari 15 Please try visiting this URL in Safari 15: https://safari-15-cross-domain-iframe-modal-bug.glitch.me/ The page has a cross-domain iframe in it: ``` <iframe src="https://safari-15-cross-domain-iframe-modal-bug-embed.glitch.me" sandbox="allow-scripts allow-same-origin allow-modals"></iframe> ``` And the source code for that iframe embed is just: ``` <script>alert(1)</script> ``` Since I've added `sandbox="allow-scripts allow-same-origin allow-modals"` to the iframe, I believe the modals should be allowed. Instead the following error is shown in the console: ``` Use of window.alert is not allowed in different origin-domain frames ``` The other major browsers correctly allow the modal with those attributes, and this behavior of allowing modals with those sandbox flags is discussed here: https://github.com/whatwg/html/issues/5407#issuecomment-775621443 This bug does not exist on Safari 13 or 14. Please see attached video recording.

Attachments
Video recording of error on safari 15 (2.14 MB, video/webm) 2021-10-19 03:29 PDT, yanahij531	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2021-10-19 07:39:02 PDT

*** This bug has been marked as a duplicate of bug 229737 ***

Note You need to log in before you can comment on or make changes to this bug.