Re: test

From sefa, 4 Years ago, written in JavaScript.

This paste is a reply to test from sefa - go back

Embed

Viewing differences between test and Re: test

    if (window.top === this || window.parent === this) {
            let message = "This page is meant to be loaded from within an iframe to demonstrate you can bypass sandbox attribute, when a combination of 'allow-same-origin' and 'allow-scripts' is used.";
            document.body.innerText = message;
            throw new Error(message);
        }

    const illegalCode = () => {
        alert("You should not see me, because original iframe did not have 'allow-modals'. Kid page had allow-scripts and same-origin though. A new iframe without sandbox attribute was created - and here I am.");
    }

    const escape = () => {
        document.body.innerText = "Loaded into a frame.";

        let parent = window.parent;
        let container = parent.document.~~getElementById("escapeMe");~~
getElementById("analyticsFrame");
        if (parent.document.~~getElementById("escapeMe")~~ getElementById("analyticsFrame") != null) {
            // Recreate and insert an iframe without sandbox attribute that
            // plays by our rules.
            let replacement = parent.document.createElement("iframe");
            replacement.setAttribute("src", ~~"kid.~~"/kid.htm");
            replacement.setAttribute("id", "escapedAlready")
            parent.document.body.append(replacement);

            // Remove original iframe (avoid an infinite loop)
            container.parentNode.removeChild(container);

        } else {
            // Execute code that would be prevented by original iframe's sandbox.
            illegalCode();
        }
    }

    escape();

Author

Title

Language

Your paste - Paste your paste here

if (window.top === this || window.parent === this) {
            let message = &quot;This page is meant to be loaded from within an iframe to demonstrate you can bypass sandbox attribute, when a combination of 'allow-same-origin' and 'allow-scripts' is used.&quot;;
            document.body.innerText = message;
            throw new Error(message);
        }

const illegalCode = () =&gt; {
        alert(&quot;You should not see me, because original iframe did not have 'allow-modals'. Kid page had allow-scripts and same-origin though. A new iframe without sandbox attribute was created - and here I am.&quot;);
    }

const escape = () =&gt; {
        document.body.innerText = &quot;Loaded into a frame.&quot;;

let parent = window.parent;
        let container = parent.document.getElementById(&quot;analyticsFrame&quot;);
        if (parent.document.getElementById(&quot;analyticsFrame&quot;) != null) {
            // Recreate and insert an iframe without sandbox attribute that
            // plays by our rules.
            let replacement = parent.document.createElement(&quot;iframe&quot;);
            replacement.setAttribute(&quot;src&quot;, &quot;/kid.htm&quot;);
            replacement.setAttribute(&quot;id&quot;, &quot;escapedAlready&quot;)
            parent.document.body.append(replacement);

// Remove original iframe (avoid an infinite loop)
            container.parentNode.removeChild(container);

} else {
            // Execute code that would be prevented by original iframe's sandbox.
            illegalCode();
        }
    }

escape();

Private - Private paste aren't shown in recent listings.

Delete After - When should we delete your paste?

Spam protection -

{"html5":"htmlmixed","css":"css","javascript":"javascript","php":"php","python":"python","ruby":"ruby","lua":"text\/x-lua","bash":"text\/x-sh","go":"go","c":"text\/x-csrc","cpp":"text\/x-c++src","diff":"diff","latex":"stex","sql":"sql","xml":"xml","apl":"apl","asterisk":"asterisk","c_loadrunner":"text\/x-csrc","c_mac":"text\/x-csrc","coffeescript":"text\/x-coffeescript","csharp":"text\/x-csharp","d":"d","ecmascript":"javascript","erlang":"erlang","groovy":"text\/x-groovy","haskell":"text\/x-haskell","haxe":"text\/x-haxe","html4strict":"htmlmixed","java":"text\/x-java","java5":"text\/x-java","jquery":"javascript","mirc":"mirc","mysql":"sql","ocaml":"text\/x-ocaml","pascal":"text\/x-pascal","perl":"perl","perl6":"perl","plsql":"sql","properties":"text\/x-properties","q":"text\/x-q","scala":"scala","scheme":"text\/x-scheme","tcl":"text\/x-tcl","vb":"text\/x-vb","verilog":"text\/x-verilog","yaml":"text\/x-yaml","z80":"text\/x-z80"}

Reply to "Re: test"