Calling scrollIntoView() inside a sandboxed iframe causes the top window to scroll
Reported by
pclin...@gmail.com,
Mar 6 2018
|
||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Steps to reproduce the problem:
1. Create a webpage with a sandboxed iframe out of view
2. Have the sandboxed iframe call Element.scrollIntoView() on an element inside the sandboxed iframe
3. The parent browser window will scroll down to the sandboxed iframe, even though it should be treated as a different origin and sandboxed iframes should not affect the parent.
Sample code
<!doctype html>
<html><head><title>Scroll Into View</title></head>
<body><h1 style="margin-bottom:5000px;">Top of the page..</h1>
<script>
var iframe = document.createElement('iframe');
iframe.width='300';
iframe.height='300';
iframe.sandbox='allow-scripts';
iframe.srcdoc="<!DOCTYPE html><html><head><title>Example</title></head><body>You should not be auto scrolled to me.<script>document.body.scrollIntoView();<\/script></body></html>";
document.body.appendChild(iframe);
</script>
</body>
</html>
Note: When testing this in Chrome, the first time I load the page the unexpected behavior occurs. If you press reload, it does not. Opening a new tab and loading the page again causes the unexpected behavior to happen again.
What is the expected behavior?
The parent should not be scrolled.
What went wrong?
Sandboxed iframes should not be able to scroll the parent window.
We came across this issue when we identified a malicious online advertisement that continually called scrollIntoView() to force the end user to watch their ad.
Did this work before? N/A
Chrome version: 64.0.3282.186 Channel: stable
OS Version: 10.0
Flash Version:
,
Mar 6 2018
I may be wrong, but I believe it is covered under https://drafts.csswg.org/cssom-view/#dom-element-scrollintoview "7. Scroll the element into view with behavior, block, and inline." Which links to: https://drafts.csswg.org/cssom-view/#scroll-an-element-into-view "1. If the Document associated with element is not same origin with the Document associated with the element or viewport associated with box, terminate these steps."
,
Mar 7 2018
,
Mar 7 2018
,
Mar 8 2018
Able to reproduce this issue on reported version 64.0.3282.186, on latest canary 67.0.3364.0 using Windows 10, Ubuntu 14.04 and Mac 10.13.3 with steps mentioned in comment#0. This issue is seen from M-60. Hence considering this issue as Non-Regression and marking as Untriaged. Could someone from Blink>Scroll team please have a look into this issue. Thanks!
,
Mar 8 2018
sunyunjia@ is the expert in this area. PTAL.
,
Nov 27
reproduce this issue on Chrome 70.0.3538.110, latest canary 72.0.3622.0 using Mac 10.14.2 Beta. And this is online bug preview https://isnimitz.com/demosiv.html. The preview will scroll show white blank in chrome. By the way, it was normal in Safari 12.0.2.
,
Jan 16
(6 days ago)
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by woxxom@gmail.com
, Mar 6 2018