Does Iframe sandbox execute script inside child iframe?

When you run this test and you if you see an alert popup, then the child iframe can execute script!

By
skeptic_fx 1 Seen 287 times
Tags
iframe sop sandbox
Run this test now.

Results


Tested on
Chrome - 64 - Windows 10
ResultTest NameMessage
PASSWhen you run this test, if alert pops then the test passes. Cant reliably show the result here, because SOP :)

Tested on
Safari - 10.1.1 - Mac OS X
ResultTest NameMessage
PASSWhen you run this test, if alert pops then the test passes. Cant reliably show the result here, because SOP :)

Tested on
Firefox - 57 - Windows 10
ResultTest NameMessage
PASSWhen you run this test, if alert pops then the test passes. Cant reliably show the result here, because SOP :)

Tested on
Googlebot - 2.1 - undefined
ResultTest NameMessage
PASSWhen you run this test, if alert pops then the test passes. Cant reliably show the result here, because SOP :)

Tested on
Mobile Safari - 11 - iOS
ResultTest NameMessage
PASSWhen you run this test, if alert pops then the test passes. Cant reliably show the result here, because SOP :)

Tested on
Chrome Mobile - 41 - Android
ResultTest NameMessage
PASSWhen you run this test, if alert pops then the test passes. Cant reliably show the result here, because SOP :)

User Script (TESTHARNESS)

					
<html>
<head>
<script src="/public/js/testharness-domstorm.js"></script>


<script>
// The userScript for the Module
// W3C Testharness.js
// Turotial: http://darobin.github.io/test-harness-tutorial/docs/using-testharness.html
// W3c Platform Tests: https://github.com/w3c/web-platform-tests

function testIframe() {
  test(function() {
      assert_true(true);
    }, 'When you run this test, if alert pops then the test passes. Cant reliably show the result here, because SOP :)');
  }

testIframe();
</script>

</head>
<body>
<h1>Tests whether a sandboxed iframe can have another iframe which can execute script inside it</h1>
<h2>When you run this test and you if you see an alert popup, then the child iframe can execute script!</h2>
    <iframe sandbox src="https://test.skepticfx.com/iframe/?url=https%3A%2F%2Ftest.skepticfx.com%2Fxss%2F%3Fxxp%3D1%26xss%3D%3Cscript%3Ealert(1)%3C%2Fscript%3E"></iframe>
</body>
</html>