Sandbox attribute does not support "allow-popups-to-escape-sandbox" flag

Issue #10464339 • Assigned to Travis L.

Details

Author
Jeremie M.
Created
Jan 9, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
  • Internet Explorer
Reports
Reported by 3 people

Sign in to watch or report this issue.

Steps to reproduce

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Brad E.”

      Changed Assigned To to “Travis L.”

      Changed Assigned To from “Travis L.” to “Nathan S.”

    • All major browsers (including Chrome, Safari and Firefox) support this now, except Edge and IE. It would be great if this could be prioritized.

    • Related iframe sandbox bugs:
      https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/14609256/
      https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/14609322/

      Ad networks are using those flags to sandbox ads, in order to prevent malicious behaviors.

    • Looking at the related sandbox bugs, I see that they were all closed as wontfix with a “helpful” link to http://uservoice.microsoftedge.com/.

      It should not be up to the users to vote which features from the HTML standard they’d like implemented in Edge. These flags are not "user features", they’re part of the HTML spec describing how pages should be rendered.

      And in contrast to the related bugs, this attribute is much older than the others, widely supported by all major browsers, and a security feature. Without this flag, clicking on any link within a sandboxed iframe is completely useless even if the new link opens in a new tab, as most pages nowadays absolutely require JS.

      Currently, the only solution for Edge is to not use the sandbox at all, which security-wise is much worse. (For IE there was the workaround of using security=restricted, which has it’s own set of problems and is not available in Edge anymore).

    • For the record, someone added the uservoice “idea” here: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/14970816-implement-allow-popups-to-escape-sandbox-token-for

      It’s still unclear to me if this is a bug on an existing feature (Sandboxing), or if it counts as a new feature. In any case, voting on uservoice may help.

    • Microsoft Edge Team

      Changed Assigned To to “Travis L.”

    You need to sign in to your Microsoft account to add a comment.

    Sign in