| <!doctype html> |
| <!-- Sandbox-ed <iframe> which does not allow escaping --> |
| <iframe id="frame1" allow="sync-xhr 'none'" |
| sandbox="allow-scripts allow-popups"> |
| </iframe> |
| <!-- Sandbox-ed <iframe> which allows escaping --> |
| <iframe id="frame2" allow="sync-xhr 'none'" |
| sandbox="allow-scripts allow-popups allow-popups-to-escape-sandbox"> |
| </iframe> |
| <!-- Not sandbox-ed <iframe> --> |
| <iframe id="frame3" allow="sync-xhr 'none'"></iframe> |
| <script> |
| var frame1 = document.getElementById("frame1"), |
| frame2 = document.getElementById("frame2"), |
| frame3 = document.getElementById("frame3"); |
| |
| var frame_map = { |
| "sandboxed": frame1, |
| "sandboxed-escaping": frame2, |
| "notsandboxed": frame3, |
| }; |
| |
| function test(iframe_type, iframe_src, window_url, window_feature) { |
| var iframe = frame_map[iframe_type]; |
| iframe.src = iframe_src; |
| // Then message will trigger |window.open| to the url |window_url|. |
| iframe.addEventListener( |
| "load", () => iframe.contentWindow.postMessage( |
| { |
| window_url: window_url, |
| window_feature: window_feature |
| }, |
| "*")); |
| } |
| </script> |