Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

firefox sandbox iframe location changing when it shouldn't

Tags:

javascript

html

firefox

iframe

When using html5 sandbox iframe I want the iframe to not be able to change its location:

<iframe sandbox="allow-forms allow-popups allow-pointer-lock allow-same-origin allow-scripts" class="iframe visible" src="thesource.html" width="100%" scrolling="auto" frameborder="0"></iframe>

It works great in Chrome but in Firefox an sandboxed iframe can still redirect.

it's a known bug but how can I patch it so that all Firefox users won't be redirected?

like image 644
Tom Avatar asked Feb 05 '14 00:02

Tom

People also ask

Is iframe sandbox secure?

Given the restrictions of the sandboxed iframe, it is not able to make calls outside of its own frame, nor is it able to read or modify anything about the parent page. This let's us rest assured that both our application and our customers' data is safe and secure.

Why you should sandbox iframe content from your own?

Applying the sandbox attribute to iframes you include allows you to grant certain privileges to the content they display, only those privileges which are necessary for the content to function correctly.

What is remove sandbox attribute iframe?

You can remove the sandbox attribute from the element using iframe. removeAttribute("sandbox") this will make the iframe non-sandboxed for the next content you load into it, not the currently loaded one.

How can we allow the sandbox iframe to run scripts from the same domain?

Correct Option: A. Scripts are re-enabled by allow-scripts. The sandbox attribute enables an extra set of restrictions for the content in the iframe. Allow-forms re-enables from submission.

1 Answers

Example:

An with extra restrictions:

<iframe src="demo_iframe_sandbox.htm" sandbox=""></iframe>

the sandbox attribute is supported in Internet Explorer 10, Firefox, Chrome, and Safari.

Note: The sandbox attribute is not supported in Internet Explorer 9 and earlier versions, or in Opera.

Definition and Usage

If specified as an empty string (sandbox=""), the sandbox attribute enables a set of extra restrictions for the content in the inline frame.

The value of the sandbox attribute can either be an empty string (all the restrictions is applied), or a space-separated list of pre-defined values that will REMOVE particular restrictions.

Differences Between HTML 4.01 and HTML5

The sandbox attribute is new in HTML5.

Syntax

<iframe sandbox="value">

Attribute Values

  1. "" => Applies all restrictions below
  2. allow-same-origin => Allows the iframe content to be treated as being from the same origin as the containing document
  3. allow-top-navigation => Allows the iframe content to navigate (load) content from the containing document
  4. allow-forms => Allows form submission
  5. allow-scripts => Allows script execution

javascript: is a kind of weird URI protocol. It works in some contexts, like , but not all - for instance, a window's location can not be set to such a URI. (While you can assign a javascript: URI to window.location as a really roundabout way of running a script, the window's location doesn't stay set to that value.)

To write content into an IFRAME, get a reference to the frame's document and write to it. Doing so will require that you set the allow-same-origin sandbox flag.

<iframe id="myframe" sandbox="allow-scripts allow-same-origin" src="about:blank"></iframe>

<script>
    var frame = document.getElementById("myframe");
    var fdoc = frame.contentDocument;

    fdoc.write("Hello world"); // or whatever
</script>

Live example: http://jsfiddle.net/wUvrF/1/

like image 84
evergreen Avatar answered Oct 14 '22 05:10

evergreen
Sign in to Comment

Related questions

AngularJS: How to transclude multiple directives?
overlaying text boxes on an image in specific positions
Web Speech API Custom Words
Stop Event bubbling for a disabled element
Trouble with RequireJS optimizer config, bbb release
Why does the value of "this" changes.?
How can I call a model instance method in lifecycle callback in Sails/Waterline?
Opencart Filters add onclick event to replace the submit button
Does Capybara require sleep to work?
jQuery div that follows cursor movement only within another div
How to conditionally compile (using Grunt) only changed jade files with template includes
Ember.js: how to model this example?
JavaScript test on V8
PhantomJS - Upload a file without submitting a form
What is the most efficient way to implement GroupBy in Javascript?
Undefined model prototype in Backbone Collection and Marionette CompositeView
After clicking on selected text, window selection is not giving updated range
Why is this simple CORS request doing a pre-flight options check
How to set the focus of the inputText inside dataTable
How to embed Tableau into a web page using the tableau JavaScript API?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!