Links inside iframe (not in popup) doesnt work

Question

I have gone through other similar issues to solve this particular issue, but somehow in this case all the solutions are not working.

So here is my the question with example snippet:

I have an html file which looks like this:

<div id="portalRight">
    <a target="_blank" href="http://ictforu.com">   <!-- this link works , it opens up another tab -->
    <ul id="subtabnav">
        <li class="datasetTab">
            <a href="#">dataset</a> <!-- Click on this will trigger the dataset iframe to be loaded thru a servlet call  -->
        </li>
        <li class="obsGraphTab" data-bind="css: { disabled: !aekos.subTabViewModel.graphTabsEnabled() }">
            <a href="#">Observation Graph</a>
        </li>
        .....
    </ul>

    <div id="dataset">
        <iframe id="dataset-frame" class="graphiframe" seamless sandbox="allow-same-origin allow-scripts"></iframe>
    </div>
    <div id="testViewer">
                <iframe id="test-viewer-frame" class="graphiframe" seamless sandbox="allow-same-origin allow-scripts"></iframe>
    </div>

</div>

As you can see my iframe isn't a popup but appears under a div element: iframe contents are filled using a servlet when the link is clicked.

My iframe has base tags (base target="_parent")under header of the iframe.

I have used <base> tag to specify the behaviour and also link has target="_blank", but my links doesn't work at all. Same link works outside the iframe.

example iframe :

base target="_parent" /base 

body content:

a target="_blank" href="http://ictforu.com" /a 

this link doesn't work, clicks are ignored.

Any help is much appreciated.

Sorry had some editing issues with the html tags earlier.

Thanks, Madhu

Answer 1

I can't really explain the 'why' cause don't know much about the sandbox attribute of the iframe, but the link opened in a new tab just fine for me when I removed that attribute.

edit:

Looking into it a little more, it seems that you can add the attribute "allow-top-navigation" and then change the link to 'target=_parent' and that works, but it still will not work if you leave the target=_blank

Here is a little bit of documentation from the mozilla site

sandbox HTML5 only
If specified as an empty string, this attribute enables extra restrictions on the content that can appear in the inline frame. The value of the attribute can be a space-separated list of tokens that lift particular restrictions. Valid tokens are:

• allow-same-origin: Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.
• allow-top-navigation: Allows the embedded browsing context to navigate (load) content to the top-level browsing context. If this keyword is not used, this operation is not allowed.
• allow-forms: Allows the embedded browsing context to submit forms. If this keyword is not used, this operation is not allowed.
• allow-scripts: Allows the embedded browsing context to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.

Note:

• When the embedded document has the same origin as the main page, it is strongly discouraged to use both allow-scripts and allow-same-origin at the same time, as that allows the embedded document to programmatically remove the sandbox attribute. Although it is accepted, this case is no more secure than not using the sandbox attribute.
• Sandboxing in general is only of minimal help if the attacker can arrange for the potentially hostile content to be displayed in the user's browser outside a sandboxed iframe. It is recommended that such content should be served from a separate dedicated domain, to limit the potential damage.

There isn't much more there, but here's the link

Answer 2

Sandbox gives you control to set needed permissions instead of opening up everything. Here with your need to set permission,"allow-scripts allow-popups". it will work fine. make sure you remove the configurations according to the situation.

  <iframe sandbox="allow-same-origin allow-scripts allow-popups allow-forms"
src="your_url"></iframe>