Could you help me understand Chrome implementation of HTML5 iframe sandbox attributes allow-same-origin and allow-top-navigation?
First question:
For example when i test allow-same-origin I do:
<iframe id='frm' src="file.html" sandbox="allow-same-origin"></iframe>
...
oIFrame = document.getElementById('frm');
var oDoc = (oIFrame.contentWindow || oIFrame.contentDocument);
if (oDoc.document) {
oDoc = oDoc.document;
oDoc.getElementById('foo').innerText = 'Hello man!';
...
Content of file.html:
...
<div id="foo">Hello</div>
...
alert(document.cookie);
...
and that's work only when i have additional attribute called allow-scripts so I have sandbox="allow-scripts allow-same-origin". Alone allow-same-origin doesnt't work and alone allow-scripts works great (scripts run but not API SOP related, its ok regard to HTML5 standard).
Standard of HTML5 says:
"First, it can be used to allow content from the same site to be sandboxed to disable scripting, while still allowing access to the DOM of the sandboxed content."
Am I misunderstand that or Chrome implementation is wrong?
Second question:
Standard of HTML5 says about allow-top-navigation:
"Second, it can be used to embed content from a third-party site, sandboxed to prevent that site from opening popup windows, etc, without preventing the embedded page from communicating back to its originating site, using the database APIs to store data, etc."
My popups in Chrome aren't blocked. How could I block them? I use just allow-top-navigation.
Cheers, David
For the first question:
It appears this means that the parent page can still have access to the DOM of the sandboxed <iframe>
, whilst scripts in the <iframe>
itself are blocked from execution; so it's only parent -> iframe
but not iframe -> parent
Second question:
Maybe I'm misunderstanding, but as the name allow-top-navigation
implies this will allow rather than block the framed site from using things like top.location.replace()
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With