NEW 215589
Sandboxed iframes don't fire DOMContentLoaded 
https://bugs.webkit.org/show_bug.cgi?id=215589
Summary Sandboxed iframes don't fire DOMContentLoaded
Matt Bierner
Reported 2020-08-17 15:24:05 PDT
Created attachment 406747 [details] Example test case Sandboxed iframes that do not set `allow-scripts` do not seem to fire `DOMContentLoaded`. Here's a quick example const iframe = document.createElement('iframe') iframe.setAttribute('sandbox', 'allow-same-origin') iframe.src = './other' document.body.append(iframe) iframe.contentWindow.addEventListener('DOMContentLoaded', () => { console.log('loaded'); }); The event is fired if the iframe is not sandboxed or if `allow-scripts` is included in the sandbox. The sandboxed iframe does fire events in Chrome and Firefox. This is similar to https://bugs.webkit.org/show_bug.cgi?id=33604 but for sandboxed iframes
Attachments
Example test case (751 bytes, application/zip)
2020-08-17 15:24 PDT, Matt Bierner 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Matt Bierner
Comment 1 2020-08-17 15:25:48 PDT
The same also seems to happen for the `load` event.
Radar WebKit Bug Importer
Comment 2 2020-08-18 09:57:26 PDT
<rdar://problem/67334351>
Alexey Proskuryakov
Comment 3 2022-08-24 10:06:54 PDT
This continues to behave as reported. Chrome says "Blocked script execution" in console, but the event actually gets dispatched. Seems pretty bad, as there is no reasonable way to detect that a sandboxed frame is done loading in WebKit, so this just prompts authors to add otherwise unnecessary allow-scripts.
Note You need to log in before you can comment on or make changes to this bug.