New issue
Advanced search Search tips

Issue 833818 link

Starred by 3 users
Status: WontFix
Owner:
iclell...@chromium.org
Closed: Apr 2018
Cc:
susan.boorgula@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug-Regression



Sign in to add a comment

iFrame is allowed to go full screen, even though "allowfullscreen" attribute hasn't been set

Reported by walkingf...@googlemail.com, Apr 17 2018 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Steps to reproduce the problem:
1. open the test.html attachment
2. press the "go full screen" button
3. 

What is the expected behavior?
The browser doesn't go into full-screen mode

What went wrong?
The browser went into full-screen mode

Did this work before? N/A 

Does this work in other browsers? Yes

Chrome version: 65.0.3325.181  Channel: stable
OS Version: OS X 10.11.6
Flash Version: 

The specs say that you need to set "allowfullscreen" in order for an iFrame to go full screen:
https://fullscreen.spec.whatwg.org/#security-and-privacy-considerations
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-allowfullscreen
iframe.html
945 bytes View Download
test.html
401 bytes View Download

Comment 1 by woxxom@gmail.com, Apr 17 2018 

Bisected to 5d8010e1fc081481d0646618e700b51a4699ab4c
"Reenable feature policy control over fullscreen"
Landed in 62.0.3189.0

   Same origin iframes by default have the same ability to use 
   fullscreen as their parent frame.

Apparently the spec itself is in the process of being updated and Chrome implements the new behavior:
https://html.spec.whatwg.org/multipage/iframe-embed-object.html#allowed-to-use

Comment 2 by walkingf...@googlemail.com, Apr 17 2018 

Thanks for the speedy reply :)

We noticed that using the "sandbox" attribute will disable the iframe from going full screen. But this also disable the use of Window.postMessage()

Is there a way to disable an iframe from going full screen, while still being able to use Window.postMessage()?

Comment 3 by vamshi.kommuri@chromium.org, Apr 18 2018

Labels: Needs-Triage-M65

Comment 4 by susan.boorgula@chromium.org, Apr 20 2018

Cc: susan.boorgula@chromium.org
Labels: -Type-Bug -Pri-2 RegressedIn-62 Target-67 M-68 Target-66 FoundIn-66 FoundIn-67 hasbisect Triaged-ET FoundIn-68 Target-68 OS-Linux OS-Windows Pri-1 Type-Bug-Regression
Owner: iclell...@chromium.org
Status: Assigned (was: Unconfirmed)
Able to reproduce this issue on Windows 10, Mac OS 10.12.6 and Ubuntu 14.04 on the latest Canary 68.0.3400.0 and latest Stable 66.0.3359.117 as per the original comment.

Bisect Information:
===================
Good Build: 62.0.3188.0
Bad Build : 62.0.3189.0

As per comment #1, the CL which caused this issue is 
Reviewed-on:  https://codereview.chromium.org/2898503002

iclelland@ Please check and confirm if this issue is related to your change, else help us in assigning to the right owner.

Thanks.

Comment 5 by iclell...@chromium.org, Apr 23 2018

Status: WontFix (was: Assigned)
(Marking WAI as this is the intended behaviour as of M62)

Re: #2 -- yes, you can disable fullscreen specifically with feature policy. Adding the attribute 

    allow="fullscreen 'none'"

to the iframe should cause fullscreen to be blocked in that frame.

<iframe src="http://some.example.com" allow="fullscreen 'none'"></iframe>

You can still postMessage, and do everything else that would otherwise be allowed in that frame. Only the one feature will be blocked.

Of course, if you don't trust the frame not to abuse fullscreen, it should really be sandboxed, or hosted on a different origin than the main page at least: A same-origin frame can do things like changing the markup in the parent page, or abusing the parent's ability to use fullscreen in order to fullscreen its own <iframe> element.

Sign in to add a comment