iFrame sandbox not allowing top navigation

Question

I am embedding an iframe into codepen to be able to play with some CSP settings

My iFrame is set as follows with the sandbox attributes set

    <iframe src="https://myurl" 
sandbox="allow-scripts allow-top-navigation allow-top-navigation-by-user-activation allow-forms allow-popups allow-same-origin" 
style="border: 1px solid black"/>

When the iFrame loads, I get this error message when the script in the target URL runs

Unsafe JavaScript attempt to initiate navigation for frame with origin 'https://codepen.io' from frame with URL 'https://myurl'. The frame attempting navigation of the top-level window is sandboxed, but the flag of 'allow-top-navigation' or 'allow-top-navigation-by-user-activation' is not set.

I am confused as both of the referenced are set in my sandbox attribute (after allow-scripts)

What am I missing?

score 0 · Answer 1 · answered Aug 25 '21 at 19:54

0

Codepen limits the privileges of the code inside it. Do "View source" on the Codepen page, and I bet you will see an outer iframe around the one you created, with more restrictive sandbox attributes on the outer iframe.

answered Aug 25 '21 at 19:54

Kalinda Pride

315
5
9

iFrame sandbox not allowing top navigation

1 Answers1