Demo HTML follows. The sandboxed iframe should not be able to do anything to navigate the top level window, but here is a bypass: ifsandbox.html: --- <html> <body> Testing iframe sandbox attribute.... <iframe sandbox="allow-same-origin allow-forms allow-scripts" src="innerframe.html"></iframe> </body> </html> --- innerframe.html: --- <html> <body> Hello! I'm the inner frame. I will proceed to try and be irritating. <form id="f" action="http://www.google.com" method="GET" target="_top"> <input type="submit" value="Submit"/> </form> <script> // Does not work. window.top.location = 'http://www.google.com'; // Works! e = document.getElementById('f'); alert('about to submit form....'); e.submit(); </script> </body> </html> --- I haven't tried other targets (e.g. "_parent", named iframes etc).
cc: author of iframe sandbox attribute (thanks for implementing it)!
<rdar://problem/7517003>
Putting this in the private security area seems unnecessarily cautious, since the sandbox attribute is brand new, hasn’t shipped yet, and isn’t in active use by websites. I think it would be OK to handle this out in the open instead. What do you think?
Created attachment 46011 [details] LayoutTest Here's a LayoutTest for the issue.
Darin - agreed!
I have a fix for this. I'll take the bug.
Was it a simple fix or did complexities arise?
@Sam, I can fix this if you've got other things on your plate.
Created attachment 48699 [details] Patch
@Sam: I don't mean to step on your toes, but I'd like to get this bug fixed. Is this the same as your patch?
Comment on attachment 48699 [details] Patch Fix is fine, r=me. No need to wait on Sam.
Comment on attachment 48699 [details] Patch Clearing flags on attachment: 48699 Committed r54764: <http://trac.webkit.org/changeset/54764>
Comment on attachment 48699 [details] Patch Rejecting patch 48699 from commit-queue. Unexpected failure when landing patch! Please file a bug against webkit-patch. Failed to run "['WebKitTools/Scripts/webkit-patch', '--status-host=webkit-commit-queue.appspot.com', 'land-attachment', '--force-clean', '--non-interactive', '--no-update', '--parent-command=commit-queue', '--build-style=both', '--quiet', '48699']" exit_code: 1 Last 500 characters of output: all.cache.d/-1555206040/mechanize-0.1.11.zip/mechanize-0.1.11/mechanize/_html.py", line 546, in __getattr__ File "/Users/eseidel/Projects/CommitQueue/WebKitTools/Scripts/webkitpy/autoinstall.cache.d/-1555206040/mechanize-0.1.11.zip/mechanize-0.1.11/mechanize/_html.py", line 559, in forms File "/Users/eseidel/Projects/CommitQueue/WebKitTools/Scripts/webkitpy/autoinstall.cache.d/-1555206040/mechanize-0.1.11.zip/mechanize-0.1.11/mechanize/_html.py", line 228, in forms mechanize._html.ParseError
Looks like this was landed, but CCing Eric because of the strange commit-bot error.
That looks like bug 33659.