I'm using a same-origin iframe to load a foreign widget (tlk.io loaded through a cross-origin script). I'm trying to give the iframe/widget the lowest possible rights to isolate it from my app.
MDN gives the following warning:
Notes about sandboxing:
When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.
Firefox devtools show me this warning:
An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing.
My question is: in this situation (sandbox="allow-same-origin allow-scripts") how could an iframe remove its sanboxing? What js code would perform this?
From the iframe, I tried looking at window.opener but it's null. window.parent is not referring to the parent. I can't find references to the «iframe» from the iframe itself...
没有评论:
发表评论