Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to programatically remove sandbox attribute from an iframe with javascript

I didn't think this was possible, however, i found this quote:

"It is strongly discouraged to use both allow-scripts and allow-same-origin at the same time, as that allows the embedded document to programmatically remove the sandbox attribute."

My iframe needs to have a sandbox, but only when I am browsing in certain URLs where the embedded browsing context tries to navigate (load) content to the top-level browsing context (Jump out of frame...)

On other pages the sandbox needs to be removed entirely, as it wont allow me to browse away from a site with a different origin...

The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.

Programatically changing the sandbox with :

document.getElementById("frame").sandbox = "";

...doesnt work either as this still places restrictions... Therefore, i need to somehow remove the attribute entirely, how would i go about doing this?

like image 329
David Avatar asked Apr 21 '13 19:04

David


People also ask

How do I remove sandbox attribute on the iframe tag?

Click the Live button, and then select Disable sandbox feature. In the confirmation dialog, click the Yes, Disable button. This will deactivate the feature and delete any sandbox you have started.

What is iframe sandbox attribute?

The sandbox attribute enables an extra set of restrictions for the content in the iframe. When the sandbox attribute is present, and it will: treat the content as being from a unique origin. block form submission. block script execution.

Why you should sandbox iframe content from your own server?

Sandboxing your own code means that even if an attacker successfully subverts your application, they won't be given full access to the application's origin; they'll only be able to do things the application could do.

Is iframe sandbox secure?

Now, these are things that have a great security risk, so to make things more secure for the users, W3C added the 'Sandbox' attribute in the HTML specifications. This attribute limits the action from an iframe within a web page and makes it quite secure and protected.


1 Answers

These flags only take effect when the nested browsing context of the iframe is navigated. Removing them, or removing the entire sandbox attribute, has no effect on an already-loaded page.

More info - Here

like image 173
Mohammad Adil Avatar answered Nov 14 '22 23:11

Mohammad Adil