I've used iframe
to show some pages.These pages may contain an adobe flash
content like a video.
my problem is that the abode flash
doesn't execute in an iframe
within sandbox attribute.
my iframe
tag :
<iframe sandbox="allow-popups allow-pointer-lock allow-same-origin allow-forms allow-scripts" src="http://example.com"></iframe>
The sandbox attribute enables an extra set of restrictions for the content in the iframe.
Given an iframe with an empty sandbox attribute, the framed document will be fully sandboxed, subjecting it to the following restrictions: JavaScript will not execute in the framed document. This not only includes JavaScript explicitly loaded via script tags, but also inline event handlers and javascript: URLs.
Note that it's not advisable to add both values allow-scripts and allow-same-origin: these two values will allow the iframe to access and modify your DOM. In this case, a malicious iframe could perform all sorts of operations, and could even remove its own sandbox attribute!
This technique is quite dangerous because it can be misused to infect the user with some unwanted or corrupted software or malicious program. Such things sometimes prompt users to download or click on things that will bring harm to their system.
Short answer: you can't execute flash plugin in a sandboxed iframe.
The spec : http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-sandbox
Plugins that cannot be secured are disabled in sandboxed browsing contexts because they might not honor the restrictions imposed by the sandbox (e.g. they might allow scripting even when scripting in the sandbox is disabled). User agents should convey the danger of overriding the sandbox to the user if an option to do so is provided.
For comprehensive information about sandbox attribute: http://blog.dareboost.com/en/2015/07/securing-iframe-sandbox-attribute/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With