html5 javascript- How to catch attempt to initiate navigation out of sandboxed iframe?

Question

I have an sandboxed iframe that doesn't allow changing location:

<iframe sandbox="allow-forms allow-popups allow-pointer-lock allow-same-origin allow-scripts" class="iframe visible" src="thesource.html" width="100%" scrolling="auto" frameborder="0"></iframe>

If the iframe tries to unframe itself or change location I see a blank page because the browser stops the iframe's operation. This is the log from Chrome:

Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://example.com' from frame with URL 'http://otherdomaian.com'. The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.

That is great but I want to catch this so if it happens I'll move to the next iframe. So how do I catch this attempt?

EDIT:

I added a jsfiddle code (check the error in the console log)

I also tried to listen for an event with no success:

document.addEventListener('error', receiveMessage, true);
function receiveMessage(error) {
    alert("iframe tried to unframe itself");
}

Does this include the case where someone clicks a link and it has a target set to `_parent` or `_top`? — Gohn67, Feb 09 '14 at 06:24

hert · Answer 1 · 2014-02-24T17:30:37.033

I am new here so I don't have enough reputation to comment on answers and I apologize if I am doing this wrong, but the accepted solution will unfortunately not be able to accomplish what you are looking for.

I was able to demonstrate what I mean by having the script from the JSFiddle above run once the DOM is ready (there will be no alert but still an error in the console). Here's a little more detail on what happens currently with that fiddle:

// running with the No wrap - in <head> option
var frame = document.querySelector('iframe'); // null, the iframe isn't there yet
try {
    frame.src="http://wedesignthemes.com/themes/redirect.php?theme=wedding";
} catch(e) {
    // TypeError here, no hints about the iframe :(
    alert('Error!');
}

The exception that is being caught has nothing to do with the iframe, it is actually a type error from trying to set the src property on a null value.

What you really want to do is catch the error inside of the iframe (when the sandboxed script tries to access window.top), but this is not possible because of the Same-origin policy. Btw, setting the "allow-same-origin" sandbox flag only has any effect when the iframe content is being served from the same origin as the top level document. E.g. as soon as the src or location of the iframe is changed to a different origin, there's no way to touch anything inside.

There are ways to communicate across iframe boundaries, such as with window.postMessage or the older and hackier way of using the iframe's location.hash, but I am assuming you can't affect the source of the page going into your iframe. (A nice developer would of course be open to suggestions and see that a feature like this could be useful.)

The only way that I was able to catch this error without violating any browser security policies was to set the allow-top-navigation sandbox flag and then use the window.onbeforeunload handler in the top level document to catch the navigation attempt from the child iframe. I would never recommend this because the user experience is awful. There is no way to prevent the navigation without prompting the user about whether they want to leave the page or not. Proof of concept below:

<iframe id="myframe" sandbox="allow-scripts allow-top-navigation"></iframe>
<script>
  var url = "http://wedesignthemes.com/themes/redirect.php?theme=wedding",
      frame = document.getElementById("myframe"),
      listener;
  listener = window.addEventListener("beforeunload", function(e) {
      e.preventDefault();
      e.stopImmediatePropagation();
      // The iframe tried to bust out!
      window.removeEventListener("beforeunload", listener);
      return "This is unavoidable, you cannot shortcut a " +
             "navigation attempt without prompting the user";
  });
  frame.src = url;
</script>

So unfortunately I can't find any ways to do this nicely in current browser implementations without help from your 3rd party content developer. I read some interesting things in the HTML5 spec that might allow us to do things like this in the future (and am unfortunately maxed out on my number of links I can insert here), so I would keep an eye out as things progress.

I've updated my answer with big red flags so people don't use it. Thank you for catching this and pointing it out! — Tyler Eich, Mar 17 '15 at 03:19

evergreen · Answer 2 · 2014-02-09T06:07:42.627

Example:

An with extra restrictions:

<iframe src="demo_iframe_sandbox.htm" sandbox=""></iframe>

the sandbox attribute is supported in Internet Explorer 10, Firefox, Chrome, and Safari.

Note: The sandbox attribute is not supported in Internet Explorer 9 and earlier versions, or in Opera.

Definition and Usage

If specified as an empty string (sandbox=""), the sandbox attribute enables a set of extra restrictions for the content in the inline frame.

The value of the sandbox attribute can either be an empty string (all the restrictions is applied), or a space-separated list of pre-defined values that will REMOVE particular restrictions.

Differences Between HTML 4.01 and HTML5

The sandbox attribute is new in HTML5.

Syntax

<iframe sandbox="value">

Attribute Values

"" => Applies all restrictions below
allow-same-origin => Allows the iframe content to be treated as being from the same origin as the containing document
allow-top-navigation => Allows the iframe content to navigate (load) content from the containing document
allow-forms => Allows form submission
allow-scripts => Allows script execution

javascript: is a kind of weird URI protocol. It works in some contexts, like , but not all - for instance, a window's location can not be set to such a URI. (While you can assign a javascript: URI to window.location as a really roundabout way of running a script, the window's location doesn't stay set to that value.)

To write content into an IFRAME, get a reference to the frame's document and write to it. Doing so will require that you set the allow-same-origin sandbox flag.

<iframe id="myframe" sandbox="allow-scripts allow-same-origin" src="about:blank"></iframe>

<script>
    var frame = document.getElementById("myframe");
    var fdoc = frame.contentDocument;

    fdoc.write("Hello world"); // or whatever
</script>

Live example: http://jsfiddle.net/wUvrF/1/

score -1 · Answer 3 · answered Apr 16 '19 at 03:02

-1

You can now do this with allow-top-navigation-by-user-activation

answered Apr 16 '19 at 03:02

Andrew Fader

42
5

html5 javascript- How to catch attempt to initiate navigation out of sandboxed iframe?

3 Answers3

Linked