Opened 7 years ago

Closed 6 years ago

Last modified 6 years ago

#9705 closed Bug (invalid)

Various errors when running inside of an iframe with sandbox="allow-scripts"

Reported by: Olek Nowodziński Owned by:
Priority: Normal Milestone:
Component: General Version: 3.0
Keywords: Cc:

Description

Due to security restrictions, some browsers (latest Chrome, Firefox 17) throw errors when the editor is being run inside of an iframe with sandbox="allow-scripts". A research is needed.

Chrome:

Sandbox access violation: Unsafe JavaScript attempt to access frame with URL about:blank from frame with URL http://ckeditor4.t/ckeditor/samples/replacebycode.html. Both frames are sandboxed into unique origins. wysiwygarea.js:91

Firefox:

Error: Permission denied to access property 'document' wysiwygarea.js:91
  • Use attached sandbox.html to reproduce.
  • First report was in #9701.
  • There can be more errors like this.

Attachments (2)

sandbox.html (366 bytes) - added by Olek Nowodziński 7 years ago.
sandboxes.zip (1.2 KB) - added by Olek Nowodziński 6 years ago.

Download all attachments as: .zip

Change History (8)

Changed 7 years ago by Olek Nowodziński

Attachment: sandbox.html added

comment:1 Changed 6 years ago by Olek Nowodziński

comment:2 Changed 6 years ago by Frederico Caldeira Knabben

Milestone: CKEditor 4.0.1CKEditor 4.0.2

comment:3 Changed 6 years ago by Jakub Ś

Status: newconfirmed
Version: 4.03.0

This of course (since its browser feature) can be reproduced from CKEditor 3.0 and only in Firefox and Chrome (browsers supporting this feature).

comment:4 Changed 6 years ago by Jakub Ś

I'm not sure if this ticket is valid.

  1. Please have a look at possible values http://www.w3schools.com/html5/att_iframe_sandbox.asp
  2. Next look at the error - "Sandbox access violation: Unsafe JavaScript attempt to access frame with URL about:blank from frame with URL ... "Both frames are sandboxed into unique origins".
  3. Taking to above into account all you have to do for iframed editor is (Notice allow-same-origin) adding extra attribute value:
    <iframe src="replacebycode.html" width="1100" height="800" sandbox="allow-scripts allow-same-origin">
    

Works in both FF and Chrome.

Last edited 6 years ago by Jakub Ś (previous) (diff)

Changed 6 years ago by Olek Nowodziński

Attachment: sandboxes.zip added

comment:5 Changed 6 years ago by Olek Nowodziński

Resolution: invalid
Status: confirmedclosed

Confirmed, this is not a bug. This is how things work:

The sandbox attribute, when specified, enables a set of extra restrictions on any content hosted by the iframe. Its value must be an unordered set of unique space-separated tokens that are ASCII case-insensitive. The allowed values are allow-forms, allow-popups, allow-same-origin, allow-scripts, and allow-top-navigation. When the attribute is set, the content is treated as being from a unique origin, forms and scripts are disabled, links are prevented from targeting other browsing contexts, and plugins are secured.

The allow-same-origin keyword allows the content to be treated as being from the same origin instead of forcing it into a unique origin, the allow-top-navigation keyword allows the content to navigate its top-level browsing context, and the allow-forms, allow-popups and allow-scripts keywords re-enable forms, popups, and scripts respectively. (dev.w3.org)

Inserting sandbox attribute means that everything is down (script execution, DOM navigation). By extending this attribute, however, we can re-enable individual features, one by one.

Once sandbox="allow-scripts" is used, it allows scripts inside the iframe to be executed so CKEDITOR namespace and editor instances are created. This is not enough since CKEditor often requires communication between iframe (framed editor editable) and parent window. Without allow-same-origin attribute this communication is disabled and several errors are being produced.

This issue implies that sandbox attribute affects all nested iframes as well. Use sandboxes.zip to play with three separate web pages (Sandbox1 > Sandbox2 > Sandbox3) and see that appending sandbox attribute to the topmost iframe also disables communication between Sandbox2 <-> Sandbox3 (Sandbox3 is like a framed editable). Moreover, adding sandbox="allow-scripts allow-same-origin" to the iframe inside Sandbox2 doesn't change anything (there's no way to override the top-level restriction).

To sum up: sandbox="allow-scripts allow-same-origin" needs to be added to the top-level iframe to have CKEditor working in such case.

Anyway, you can also play with sandbox attribute by using this nice demo: http://kouder.net/images/demos/sandbox/index.html

comment:6 Changed 6 years ago by Frederico Caldeira Knabben

Milestone: CKEditor 4.0.2
Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy