In a site hosted with https, if an iframe is using a blob url generated from html content, and its sandbox is set to "allow-scripts", the iframe does not load the html. This works in other browsers and in Safari 13.1, but it does not work in Safari 14.0.3 (15610.4.3.1.6, 15610) or Safari Technology preview Release 120 (Safari 14.2, WebKit 15618.104.22.168).
See a reproduction here: https://stackblitz.com/edit/webkit-iframe-blob-src-bug.
It's possible that Safari is intentionally more strict about this, but I can't find any evidence that it's intentional.
This can be worked around by setting sandbox="allow-scripts allow-same-origin".
Still reproduces on r275884 so Bug 170075 did not fix this.
Had a quick look, it seems we need to update FrameLoader::PolicyChecker::extendBlobURLLifetimeIfNecessary.
Created attachment 425958 [details]
Created attachment 425964 [details]
Created attachment 425985 [details]
Comment on attachment 425985 [details]
r=me, thanks for fixing.
Committed r276012 (236564@main): <https://commits.webkit.org/236564@main>
All reviewed patches have been landed. Closing bug and clearing flags on attachment 425985 [details].