On Fri, Apr 12, 2013 at 4:56 PM, Ian Melven <imel...@mozilla.com> wrote:
> Freddy Braun recently noticed that he could do the following in Firefox :
>
> <iframe id='foo' sandbox='allow-same-origin' src='inner.html'>
>
> (note no allow-scripts)
>
> and then in the document containing the iframe:
>
> var iframe = document.getElementById('foo');
> iframe.contentWindow.eval("alert(document.location)");
>
> and the alert will fire, which he found surprising.
That's the behavior I would expect. You can also do the following:
var iframe = document.getElementById('foo');
iframe.contentWindow.alert("hello");
The allow-scripts sandbox flag doesn't block the script interfaces
inside the iframe. It just prevents content inside the iframe from
triggering script execution. In this case, the content outside the
iframe is the one triggering the script execution.
Adam
