Simple exploration of IFRAME sandbox with allow scripts and allow-same-origin. This was prompted by discussion of sandbox here.
When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.
Unfortunately, the document doesn't provide details of what the issue is but after further research it turns out that it's pointless to sandbox if the parent of the IFRAME and the IFRAME are loaded from the same domain (i.e. same origin). If the parent of the IFRAME and IFRAME are loaded from different domains the sandbox is enforced.
This little app(?) demonstrates the issues. There are three options, two of which the sandbox has no effect, the third which does.
(src="data:text/html;base64,CiAgPCFk...bWw+CiAg")
. This actually honors the sandbox.A running demo can be found here.
npm install
or yarn
yarn start-http
or npm run start-http
Connect to http://localhost:8080