Bug 215589

Summary: Sandboxed iframes don't fire DOMContentLoaded
Product: WebKit Reporter: Matt Bierner <matb>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: bfulgham, cdumez, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Safari 13   
Hardware: Mac   
OS: macOS 10.15   
See Also: https://bugs.webkit.org/show_bug.cgi?id=33604
https://bugs.webkit.org/show_bug.cgi?id=209653
Attachments:
Description Flags
Example test case none

Description Matt Bierner 2020-08-17 15:24:05 PDT 
Created attachment 406747 [details]
Example test case

Sandboxed iframes that do not set `allow-scripts` do not seem to fire `DOMContentLoaded`. Here's a quick example

        const iframe = document.createElement('iframe')

        iframe.setAttribute('sandbox', 'allow-same-origin')
        iframe.src = './other'
        document.body.append(iframe)

        iframe.contentWindow.addEventListener('DOMContentLoaded', () => {
            console.log('loaded');
        });


The event is fired if the iframe is not sandboxed or if `allow-scripts` is included in the sandbox. The sandboxed iframe does fire events in Chrome and Firefox. 

This is similar to https://bugs.webkit.org/show_bug.cgi?id=33604 but for sandboxed iframes
Comment 1 Matt Bierner 2020-08-17 15:25:48 PDT 
The same also seems to happen for the `load` event.
Comment 2 Radar WebKit Bug Importer 2020-08-18 09:57:26 PDT 
<rdar://problem/67334351>
Comment 3 Alexey Proskuryakov 2022-08-24 10:06:54 PDT 
This continues to behave as reported. Chrome says "Blocked script execution" in console, but the event actually gets dispatched.

Seems pretty bad, as there is no reasonable way to detect that a sandboxed frame is done loading in WebKit, so this just prompts authors to add otherwise unnecessary allow-scripts.