Prevent iframes from breaking out and redirecting the BrowserWindow hosting the iframe?

[kirkouimet]

For example, if you try to create an atom-shell app that has an iframe that references github.com, Github uses an iframe breaking technique to redirect the top window to the src of the iframe.

<iframe src="http://www.github.com/" name="disable-x-frame-options" sandbox="none"></iframe>

Is there anyway to trick the iframe to make it think it is the top window?

If not, what is the best way to manage a bunch of individual BrowserWindows inside of a main window?

[thomasjo]

node-webkit got support for this exact functionality a while ago, perhaps it could be used as inspiration?
rogerwang/WebKit_trimmed@12d8e15

[jhleath]

Based on this, I would assume that you could get the same functionality by adding the following attribute to your iframe:

sandbox="allow-forms allow-popups allow-pointer-lock allow-same-origin allow-scripts"

(Note the exclusion of allow-top-navigation.)

[frankhale]

@huntaub, just tested this and it works nicely!

[TosinAdekoya]

@huntaub Thanks man.

[mb21]

From MDN:

When the embedded document has the same origin as the main page, it is strongly discouraged to use both allow-scripts and allow-same-origin at the same time, as that allows the embedded document to programmatically remove the sandbox attribute. Although it is accepted, this case is no more secure than not using the sandbox attribute.

[minecraftchest1]

I tried it and the page wouldn't work anymore.