Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#9705 closed Bug (invalid)

Various errors when running inside of an iframe with sandbox="allow-scripts"

Reported by: Olek Nowodziński Owned by:
Priority: Normal Milestone:
Component: General Version: 3.0
Keywords: Cc:

Description

Due to security restrictions, some browsers (latest Chrome, Firefox 17) throw errors when the editor is being run inside of an iframe with sandbox="allow-scripts". A research is needed.

Chrome:

Sandbox access violation: Unsafe JavaScript attempt to access frame with URL about:blank from frame with URL http://ckeditor4.t/ckeditor/samples/replacebycode.html. Both frames are sandboxed into unique origins. wysiwygarea.js:91

Firefox:

Error: Permission denied to access property 'document' wysiwygarea.js:91
  • Use attached sandbox.html to reproduce.
  • First report was in #9701.
  • There can be more errors like this.

Attachments (2)

sandbox.html (366 bytes) - added by Olek Nowodziński 11 years ago.
sandboxes.zip (1.2 KB) - added by Olek Nowodziński 11 years ago.

Download all attachments as: .zip

Change History (8)

Changed 11 years ago by Olek Nowodziński

Attachment: sandbox.html added

comment:1 Changed 11 years ago by Olek Nowodziński

comment:2 Changed 11 years ago by Frederico Caldeira Knabben

Milestone: CKEditor 4.0.1CKEditor 4.0.2

comment:3 Changed 11 years ago by Jakub Ś

Status: newconfirmed
Version: 4.03.0

This of course (since its browser feature) can be reproduced from CKEditor 3.0 and only in Firefox and Chrome (browsers supporting this feature).

comment:4 Changed 11 years ago by Jakub Ś

I'm not sure if this ticket is valid.

  1. Please have a look at possible values http://www.w3schools.com/html5/att_iframe_sandbox.asp
  2. Next look at the error - "Sandbox access violation: Unsafe JavaScript attempt to access frame with URL about:blank from frame with URL ... "Both frames are sandboxed into unique origins".
  3. Taking to above into account all you have to do for iframed editor is (Notice allow-same-origin) adding extra attribute value:
    <iframe src="replacebycode.html" width="1100" height="800" sandbox="allow-scripts allow-same-origin">
    

Works in both FF and Chrome.

Last edited 11 years ago by Jakub Ś (previous) (diff)

Changed 11 years ago by Olek Nowodziński

Attachment: sandboxes.zip added

comment:5 Changed 11 years ago by Olek Nowodziński

Resolution: invalid
Status: confirmedclosed

Confirmed, this is not a bug. This is how things work:

The sandbox attribute, when specified, enables a set of extra restrictions on any content hosted by the iframe. Its value must be an unordered set of unique space-separated tokens that are ASCII case-insensitive. The allowed values are allow-forms, allow-popups, allow-same-origin, allow-scripts, and allow-top-navigation. When the attribute is set, the content is treated as being from a unique origin, forms and scripts are disabled, links are prevented from targeting other browsing contexts, and plugins are secured.

The allow-same-origin keyword allows the content to be treated as being from the same origin instead of forcing it into a unique origin, the allow-top-navigation keyword allows the content to navigate its top-level browsing context, and the allow-forms, allow-popups and allow-scripts keywords re-enable forms, popups, and scripts respectively. (dev.w3.org)

Inserting sandbox attribute means that everything is down (script execution, DOM navigation). By extending this attribute, however, we can re-enable individual features, one by one.

Once sandbox="allow-scripts" is used, it allows scripts inside the iframe to be executed so CKEDITOR namespace and editor instances are created. This is not enough since CKEditor often requires communication between iframe (framed editor editable) and parent window. Without allow-same-origin attribute this communication is disabled and several errors are being produced.

This issue implies that sandbox attribute affects all nested iframes as well. Use sandboxes.zip to play with three separate web pages (Sandbox1 > Sandbox2 > Sandbox3) and see that appending sandbox attribute to the topmost iframe also disables communication between Sandbox2 <-> Sandbox3 (Sandbox3 is like a framed editable). Moreover, adding sandbox="allow-scripts allow-same-origin" to the iframe inside Sandbox2 doesn't change anything (there's no way to override the top-level restriction).

To sum up: sandbox="allow-scripts allow-same-origin" needs to be added to the top-level iframe to have CKEditor working in such case.

Anyway, you can also play with sandbox attribute by using this nice demo: http://kouder.net/images/demos/sandbox/index.html

comment:6 Changed 11 years ago by Frederico Caldeira Knabben

Milestone: CKEditor 4.0.2
Note: See TracTickets for help on using tickets.
© 2003 – 2022, CKSource sp. z o.o. sp.k. All rights reserved. | Terms of use | Privacy policy