Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#42341 closed defect (bug) (fixed)

Add sandbox attribute to Customizer preview iframe to prevent top-navigation

Reported by: westonruter's profile westonruter Owned by: pento's profile pento
Milestone: 5.1 Priority: normal
Severity: normal Version: 3.4
Component: Customize Keywords: has-patch
Focuses: Cc:

Description

We go through some hoops to prevent a script in the Customizer preview from attempting to set the top window. For example: https://github.com/WordPress/wordpress-develop/blob/2ddcc54/src/wp-includes/js/customize-preview.js#L381-L384

The iframe element in HTML5 supports a sandbox attribute which we can use to prevent the window from changing the loaded top window.

See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox

Attachments (1)

42341.diff (1.2 KB) - added by valchovski 6 years ago.

Download all attachments as: .zip

Change History (4)

@valchovski
6 years ago

#1 @valchovski
6 years ago

  • Keywords has-patch added; needs-patch removed

Hi, added the sandbox attribute excluding the top navigation token.

Removed the previous hack for preventing links from breaking out of the preview

#2 @pento
5 years ago

  • Milestone changed from 5.0 to 5.1

#3 @pento
5 years ago

  • Owner set to pento
  • Resolution set to fixed
  • Status changed from new to closed

In 44583:

Customizer: Use the sandbox attribute to prevent top navigation from the preview.

Props valchovski.
Fixes #42341.

Note: See TracTickets for help on using tickets.