Chrome Version: (copy from chrome://version)
OS: (e.g. Win10, MacOS 10.12, etc...)

Seen in ToT and 66

What steps will reproduce the problem?
(1) Create a sandboxed frame (iframe or top-level, doesn't matter) with allow-popups
(2) Add an <a target="_blank" href="{anywhere}"> tag.
(3) Click the link
(4) Observe that the new page is properly sandboxed
(5) Type a new URL into the omnibox

What is the expected result?

New URL should replace existing contents of the tab, and the new contents should not be sandboxed.

What happens instead?

The new page is also sandboxed. Any page loaded into that frame will be sandboxed, even as a result of the user *typing a new URL* into the omnibox. Searching from the omnibox will not work, as there is an interstitial before the results page which requires JavaScript to redirect.

The tab looks like any other, except that it is permanently, invisibly sandboxed and cannot be reused for regular browsing.


This appears to be handled more rationally in FireFox -- there, the new page is sandboxed, and any navigations that occur within the tab will remain sandboxed, but typing a new URL in the AwesomeBar will replace the contents with a new, non-sandboxed page. Clicking [Back] from there will reinstate the sandbox on the previous contents.

Safari appears to mis-handle this as well, but in a different way.