Set iframe sandbox flags before child navigable creation

[shannonbooth]

The initial about:blank document inherits sandbox flags when the child navigable is created. Parse the iframe sandbox attribute first so the initial child document gets the correct sandbox state.

• At least two implementers are interested (and none opposed):
  • Blink (already implemented)
  • Webkit (already implemented)
  • Gecko (already implemented, except it fails the below test exercising an edge case)
• Tests are written and can be reviewed and commented upon at:
  • https://github.com/web-platform-tests/wpt/blob/2e957b9e7383c4c5c20df805706342689571b053/html/semantics/embedded-content/the-iframe-element/same-origin-contextual-fragment.html
• Implementation bugs are filed:
  • Chromium: N/A
  • Gecko: N/A (the WPT test in question has https://bugzilla.mozilla.org/show_bug.cgi?id=2024145 open)
  • WebKit: N/A
• Corresponding HTML AAM & ARIA in HTML issues & PRs: N/A
• MDN issue is filed: N/A
• The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)

---

/iframe-embed-object.html ( diff )

[domfarolino]

Nice catch, it's surprising that this was overlooked. I edited the OP to mark Gecko as "already implemented" with the exception of the contextual fragment edge case you linked to, since Gecko implements this correctly in the general case ¹. Anyways, I think this LGTM.

Footnotes

1. For example, if you load data:text/html,<iframe id=iframe sandbox=allow-same-origin></iframe> in the address bar and then try and run iframe.contentDocument.write('<script>console.log(1)</script>') in the DevTools, the script doesn't run. Gecko only seems to fail the contextual fragment edge case above, so I think that's worth calling out as an exception. ↩