8

When using html5 sandbox iframe I want the iframe to not be able to change its location:

<iframe sandbox="allow-forms allow-popups allow-pointer-lock allow-same-origin allow-scripts" class="iframe visible" src="thesource.html" width="100%" scrolling="auto" frameborder="0"></iframe>

It works great in Chrome but in Firefox an sandboxed iframe can still redirect.

it's a known bug but how can I patch it so that all Firefox users won't be redirected?

Tom
  • 9,275
  • 25
  • 89
  • 147
  • 1
    Iframes are generally pretty well sandboxed, so if something has not been enabled by the browser (or is bugged and doesn't work), I don't think it's possible to get a workaround doing it for you. – Joeytje50 Feb 09 '14 at 01:38
  • 1
    What do you need this for, anyway? Perhaps knowing that would help find the exact problem. – Joeytje50 Feb 09 '14 at 02:26

1 Answers1

5

Example:

An with extra restrictions:

<iframe src="demo_iframe_sandbox.htm" sandbox=""></iframe>

the sandbox attribute is supported in Internet Explorer 10, Firefox, Chrome, and Safari.

Note: The sandbox attribute is not supported in Internet Explorer 9 and earlier versions, or in Opera.

Definition and Usage

If specified as an empty string (sandbox=""), the sandbox attribute enables a set of extra restrictions for the content in the inline frame.

The value of the sandbox attribute can either be an empty string (all the restrictions is applied), or a space-separated list of pre-defined values that will REMOVE particular restrictions.

Differences Between HTML 4.01 and HTML5

The sandbox attribute is new in HTML5.

Syntax

<iframe sandbox="value">

Attribute Values

  1. "" => Applies all restrictions below
  2. allow-same-origin => Allows the iframe content to be treated as being from the same origin as the containing document
  3. allow-top-navigation => Allows the iframe content to navigate (load) content from the containing document
  4. allow-forms => Allows form submission
  5. allow-scripts => Allows script execution

javascript: is a kind of weird URI protocol. It works in some contexts, like , but not all - for instance, a window's location can not be set to such a URI. (While you can assign a javascript: URI to window.location as a really roundabout way of running a script, the window's location doesn't stay set to that value.)

To write content into an IFRAME, get a reference to the frame's document and write to it. Doing so will require that you set the allow-same-origin sandbox flag.

<iframe id="myframe" sandbox="allow-scripts allow-same-origin" src="about:blank"></iframe>

<script>
    var frame = document.getElementById("myframe");
    var fdoc = frame.contentDocument;

    fdoc.write("Hello world"); // or whatever
</script>

Live example: http://jsfiddle.net/wUvrF/1/

evergreen
  • 7,771
  • 2
  • 17
  • 25