Bug 209653

Summary: events from sandboxed iframe (allow-same-origin) not firing
Product: WebKit Reporter: frisou76
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: ahmad.saleem792, ap, bfulgham, cdumez, graouts, handtrix, matb, rniwa, webkit-bug-importer
Priority: P2 Keywords: BrowserCompat, InRadar
Version: Safari 13   
Hardware: Unspecified   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=215589

Description frisou76 2020-03-27 09:01:20 PDT 
Hi.

Version:
- tested on gnome web (13.0 / ubuntu 18.04 x86_64)
- tested on virtual safari 13.0.2 (via browser stack)

Description:
Sandboxed iframe with parameter sandbox="allow-same-origin" does not fire events (any kind: onload, onclick,...), and message "Blocked script execution in '...' because the document's frame is sandboxed and the 'allow-scripts' permission is not set." is displayed in console.

Awaited:
Scripts inside the iframe must not be executed, but parent script functions attached to iframe content events should be executed, since they are trusted.

Other browsers:
Works in Firefox, Chromium, IE, Edge


Steps to reproduce:
1) Create an iframe by script with parameter sandbox="allow-same-origin"
2) Populate iframe by script with untrusted content
3) Attach iframe event like onload / onreadystatechange / onclick to a function

Code sample:

<html>
<head>
</head>
<body>
<script>
  var iframe = document.createElement('iframe');
  iframe.setAttribute('sandbox', 'allow-same-origin allow-modals'); //allow-modals is set because we use alert in button.onclick function that, however, shall not be launched
  iframe.style.width = iframe.style.height = "100%";
  document.body.appendChild(iframe);
  var idocument = iframe.contentWindow.document;
  
  var onready = idocument.onreadystatechange = function(){
    if (idocument.readyState == 'complete') {
      idocument.querySelector('button').addEventListener('click', function(ev){
        alert('This script is trusted :-)');
      }, false)
    }
  }

  idocument.write('<head></head><body><button onclick="alert(\'This script is UNTRUSTED :-(\')">click Me</button></body>');
  try{
    idocument.close()
  }catch(er){
  }
  
  // as a first workaround for webkit, let's set up a loop to check readyState
  function checkComplete(){
    if (idocument.readyState != 'complete')
      return setTimeout(checkComplete, 100);
    onready();
  }
  checkComplete();
</script>
</body>
</html>


Thanks.
Comment 1 Radar WebKit Bug Importer 2020-03-27 16:50:33 PDT 
<rdar://problem/60990768>
Comment 2 Ahmad Saleem 2022-08-29 07:26:07 PDT 
I am able to reproduce this bug in Safari Technology Preview 152 on macOS 12.5.1 using test case from Comment 01 turned into JSFiddle:

Link - https://jsfiddle.net/yp7fxow8/

When I click "Click Me", it does not show anything while in case of other browsers (Chrome Canary 107 and Firefox Nightly 106), it shows "This script is trusted :-)".

Just wanted to share updated testing results. Thanks!
Comment 3 Henrik Wenz 2022-12-12 09:58:13 PST 
The issue is still present in Safari Release 159 (Safari 16.4, WebKit 18615.1.12.130.1) 😢