11429 2010-11-29 22:52:29 +0000 If allow-top-navigation is set, can the content navigate to a javascript url to run scripts in the parent domain? 2011-08-04 05:06:20 +0000 1 1 1 Unclassified HTML WG LC1 HTML5 spec unspecified Other other RESOLVED FIXED http://www.whatwg.org/specs/web-apps/current-work/#the-iframe-element P3 normal --- 1 contributor ian ian mike public-html-admin public-html-wg-issue-tracking public-html-bugzilla oldest_to_newest 42864 0 contributor 2010-11-29 22:52:29 +0000 Specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html Section: http://www.whatwg.org/specs/web-apps/current-work/#the-iframe-element Comment: If allow-top-navigation is set, can the content navigate to a javascript url to run scripts in the parent domain? Posted from: 131.107.0.116 44042 1 ian 2011-01-10 22:33:50 +0000 Only if the iframe also has allow-same-origin set, because if it does not, the origin of the script is the origin of the sandboxed browsing context, which is different than the origin of the top-level browsing context. Having said that, it's an interesting point that sandbox="allow-same-origin allow-top-navigation" essentially enabled scripting. So I fixed that. EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy.html Status: Partially Accepted Change Description: see diff given below Rationale: see above 44043 2 contributor 2011-01-10 22:34:16 +0000 Checked in as WHATWG revision r5756. Check-in comment: Ensure that sandbox='allow-same-origin allow-top-navigation' doesn't allow sandboxed pages to run scripts 'by proxy' (through the top-level browsing context) http://html5.org/tools/web-apps-tracker?from=5755&to=5756 53062 3 mike 2011-08-04 05:06:20 +0000 mass-moved component to LC1