Bug 231944 - Use of window.alert is not allowed in different origin-domain frames despite `allow-same-origin` and `allow-modals`
Summary: Use of window.alert is not allowed in different origin-domain frames despite ...
Status: RESOLVED DUPLICATE of bug 229737
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: Safari 15
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-19 03:29 PDT by yanahij531
Modified: 2021-10-19 07:39 PDT (History)
1 user (show)

See Also:

Attachments
Video recording of error on safari 15 (2.14 MB, video/webm)
2021-10-19 03:29 PDT, yanahij531 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description yanahij531 2021-10-19 03:29:55 PDT 
Created attachment 441706 [details]
Video recording of error on safari 15

Please try visiting this URL in Safari 15:

https://safari-15-cross-domain-iframe-modal-bug.glitch.me/

The page has a cross-domain iframe in it:

```
<iframe src="https://safari-15-cross-domain-iframe-modal-bug-embed.glitch.me" sandbox="allow-scripts allow-same-origin allow-modals"></iframe>
```

And the source code for that iframe embed is just:

```
<script>alert(1)</script>
```

Since I've added `sandbox="allow-scripts allow-same-origin allow-modals"` to the iframe, I believe the modals should be allowed. Instead the following error is shown in the console:

```
Use of window.alert is not allowed in different origin-domain frames
```

The other major browsers correctly allow the modal with those attributes, and this behavior of allowing modals with those sandbox flags is discussed here:

https://github.com/whatwg/html/issues/5407#issuecomment-775621443

This bug does not exist on Safari 13 or 14. Please see attached video recording.
Comment 1 Chris Dumez 2021-10-19 07:39:02 PDT 

*** This bug has been marked as a duplicate of bug 229737 ***