Make WordPress Core

Opened 8 months ago

Last modified 6 days ago

#42341 new defect (bug)

Add sandbox attribute to Customizer preview iframe to prevent top-navigation

Reported by: westonruter Owned by:
Milestone: 5.0 Priority: normal
Severity: normal Version: 3.4
Component: Customize Keywords: has-patch
Focuses: Cc:


We go through some hoops to prevent a script in the Customizer preview from attempting to set the top window. For example: https://github.com/WordPress/wordpress-develop/blob/2ddcc54/src/wp-includes/js/customize-preview.js#L381-L384

The iframe element in HTML5 supports a sandbox attribute which we can use to prevent the window from changing the loaded top window.

See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox

Attachments (1)

42341.diff (1.2 KB) - added by valchovski 6 days ago.

Download all attachments as: .zip

Change History (2)

6 days ago

#1 @valchovski
6 days ago

  • Keywords has-patch added; needs-patch removed

Hi, added the sandbox attribute excluding the top navigation token.

Removed the previous hack for preventing links from breaking out of the preview

Note: See TracTickets for help on using tickets.