#9705 closed Bug (invalid)
Various errors when running inside of an iframe with sandbox="allow-scripts"
Reported by: | Olek Nowodziński | Owned by: | |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | General | Version: | 3.0 |
Keywords: | Cc: |
Description
Due to security restrictions, some browsers (latest Chrome, Firefox 17) throw errors when the editor is being run inside of an iframe with sandbox="allow-scripts"
. A research is needed.
Chrome:
Sandbox access violation: Unsafe JavaScript attempt to access frame with URL about:blank from frame with URL http://ckeditor4.t/ckeditor/samples/replacebycode.html. Both frames are sandboxed into unique origins. wysiwygarea.js:91
Firefox:
Error: Permission denied to access property 'document' wysiwygarea.js:91
- Use attached sandbox.html to reproduce.
- First report was in #9701.
- There can be more errors like this.
Attachments (2)
Change History (8)
Changed 12 years ago by
Attachment: | sandbox.html added |
---|
comment:1 Changed 12 years ago by
comment:2 Changed 12 years ago by
Milestone: | CKEditor 4.0.1 → CKEditor 4.0.2 |
---|
comment:3 Changed 12 years ago by
Status: | new → confirmed |
---|---|
Version: | 4.0 → 3.0 |
This of course (since its browser feature) can be reproduced from CKEditor 3.0 and only in Firefox and Chrome (browsers supporting this feature).
comment:4 Changed 12 years ago by
I'm not sure if this ticket is valid.
- Please have a look at possible values http://www.w3schools.com/html5/att_iframe_sandbox.asp
- Next look at the error - "Sandbox access violation: Unsafe JavaScript attempt to access frame with URL about:blank from frame with URL ... "Both frames are sandboxed into unique origins".
- Taking to above into account all you have to do for iframed editor is (Notice allow-same-origin):
<iframe src="replacebycode.html" width="1100" height="800" sandbox="allow-scripts allow-same-origin">
Works in both FF and Chrome.
Changed 12 years ago by
Attachment: | sandboxes.zip added |
---|
comment:5 Changed 12 years ago by
Resolution: | → invalid |
---|---|
Status: | confirmed → closed |
Confirmed, this is not a bug. This is how things work:
The sandbox attribute, when specified, enables a set of extra restrictions on any content hosted by the iframe. Its value must be an unordered set of unique space-separated tokens that are ASCII case-insensitive. The allowed values are allow-forms, allow-popups, allow-same-origin, allow-scripts, and allow-top-navigation. When the attribute is set, the content is treated as being from a unique origin, forms and scripts are disabled, links are prevented from targeting other browsing contexts, and plugins are secured.
The allow-same-origin keyword allows the content to be treated as being from the same origin instead of forcing it into a unique origin, the allow-top-navigation keyword allows the content to navigate its top-level browsing context, and the allow-forms, allow-popups and allow-scripts keywords re-enable forms, popups, and scripts respectively. (dev.w3.org)
Inserting sandbox
attribute means that everything is down (script execution, DOM navigation). By extending this attribute, however, we can re-enable individual features, one by one.
Once sandbox="allow-scripts"
is used, it allows scripts inside the iframe to be executed so CKEDITOR namespace and editor instances are created. This is not enough since CKEditor often requires communication between iframe (framed editor editable) and parent window. Without allow-same-origin
attribute this communication is disabled and several errors are being produced.
This issue implies that sandbox
attribute affects all nested iframes as well. Use sandboxes.zip to play with three separate web pages (Sandbox1 > Sandbox2 > Sandbox3) and see that appending sandbox
attribute to the topmost iframe also disables communication between Sandbox2 <-> Sandbox3 (Sandbox3 is like a framed editable). Moreover, adding sandbox="allow-scripts allow-same-origin"
to the iframe inside Sandbox2 doesn't change anything (there's no way to override the top-level restriction).
To sum up: sandbox="allow-scripts allow-same-origin"
needs to be added to the top-level iframe to have CKEditor working in such case.
Anyway, you can also play with sandbox attribute by using this nice demo: http://kouder.net/images/demos/sandbox/index.html
comment:6 Changed 12 years ago by
Milestone: | CKEditor 4.0.2 |
---|
The following websites may contain relevant information regarding this issue:
https://bugzilla.mozilla.org/show_bug.cgi?id=553102 https://blog.mozilla.org/addons/2012/08/20/exposing-objects-to-content-safely/