Bug 215589 - Sandboxed iframes don't fire DOMContentLoaded
Summary: Sandboxed iframes don't fire DOMContentLoaded
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: Safari 13
Hardware: Mac macOS 10.15
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-08-17 15:24 PDT by Matt Bierner
Modified: 2022-08-24 10:06 PDT (History)
4 users (show)

See Also:

Attachments
Example test case (751 bytes, application/zip)
2020-08-17 15:24 PDT, Matt Bierner 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Bierner 2020-08-17 15:24:05 PDT 
Created attachment 406747 [details]
Example test case

Sandboxed iframes that do not set `allow-scripts` do not seem to fire `DOMContentLoaded`. Here's a quick example

        const iframe = document.createElement('iframe')

        iframe.setAttribute('sandbox', 'allow-same-origin')
        iframe.src = './other'
        document.body.append(iframe)

        iframe.contentWindow.addEventListener('DOMContentLoaded', () => {
            console.log('loaded');
        });


The event is fired if the iframe is not sandboxed or if `allow-scripts` is included in the sandbox. The sandboxed iframe does fire events in Chrome and Firefox. 

This is similar to https://bugs.webkit.org/show_bug.cgi?id=33604 but for sandboxed iframes
Comment 1 Matt Bierner 2020-08-17 15:25:48 PDT 
The same also seems to happen for the `load` event.
Comment 2 Radar WebKit Bug Importer 2020-08-18 09:57:26 PDT 
<rdar://problem/67334351>
Comment 3 Alexey Proskuryakov 2022-08-24 10:06:54 PDT 
This continues to behave as reported. Chrome says "Blocked script execution" in console, but the event actually gets dispatched.

Seems pretty bad, as there is no reasonable way to detect that a sandboxed frame is done loading in WebKit, so this just prompts authors to add otherwise unnecessary allow-scripts.