Skip to content

Commit

Permalink
Adds clarifying note to using sandbox with iframe tag (mdn#31164)
Browse files Browse the repository at this point in the history
* Add clarifying note to using sandbox with iframe tag

* Clarifying language around sandbox attribute pitfalls

---------

Co-authored-by: Chris Mills <[email protected]>
  • Loading branch information
Tenkir and chrisdavidmills authored Jan 2, 2024
1 parent 1c4eb0b commit 3dac1a1
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion files/en-us/web/html/element/iframe/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ This element includes the [global attributes](/en-US/docs/Web/HTML/Global_attrib
- `allow-popups`
- : Allows popups (like from {{domxref("Window.open()")}}, `target="_blank"`, {{domxref("Window.showModalDialog()")}}). If this keyword is not used, that functionality will silently fail.
- `allow-popups-to-escape-sandbox`
- : Allows a sandboxed document to open new windows without forcing the sandboxing flags upon them. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon the page the ad links to.
- : Allows a sandboxed document to open a new browsing context without forcing the sandboxing flags upon it. This will allow, for example, a third-party advertisement to be safely sandboxed without forcing the same restrictions upon the page the ad links to. If this flag is not included, a redirected page, popup window, or new tab will be subject to the same sandbox restrictions as the originating `<iframe>`.
- `allow-presentation`
- : Allows embedders to have control over whether an iframe can start a [presentation session](/en-US/docs/Web/API/PresentationRequest).
- `allow-same-origin`
Expand All @@ -125,6 +125,8 @@ This element includes the [global attributes](/en-US/docs/Web/HTML/Global_attrib
> - When the embedded document has the same origin as the embedding page, it is **strongly discouraged** to use both `allow-scripts` and `allow-same-origin`, as that lets the embedded document remove the `sandbox` attribute — making it no more secure than not using the `sandbox` attribute at all.
> - Sandboxing is useless if the attacker can display content outside a sandboxed `iframe` — such as if the viewer opens the frame in a new tab. Such content should be also served from a _separate origin_ to limit potential damage.
> **Note:** When redirecting the user, opening a popup window, or opening a new tab from an embedded page within an `<iframe>` with the `sandbox` attribute, the new browsing context is subject to the same `sandbox` restrictions. This can create issues — for example, if a page embedded within an `<iframe>` without a `sandbox="allow-forms"` or `sandbox="allow-popups-to-escape-sandbox"` attribute set on it opens a new site in a separate tab, form submission in that new browsing context will silently fail.
- `src`
- : The URL of the page to embed. Use a value of `about:blank` to embed an empty page that conforms to the [same-origin policy](/en-US/docs/Web/Security/Same-origin_policy#inherited_origins). Also note that programmatically removing an `<iframe>`'s src attribute (e.g. via {{domxref("Element.removeAttribute()")}}) causes `about:blank` to be loaded in the frame in Firefox (from version 65), Chromium-based browsers, and Safari/iOS.
- `srcdoc`
Expand Down

0 comments on commit 3dac1a1

Please sign in to comment.