Forum Discussion

jfpjfp42's avatar
jfpjfp42
Copper Contributor
Nov 15, 2024

iframe auto sandboxed ?

I just upgraded to version 132.0.2945.0 in the Dev Edge channel.

 

There seems to be a breaking change around default behaviour on iframes:

I have an iframe embeded into a page, both the iframe and the page having the same origin. I load the iframe without the 'sandbox' parameters, meaning this is a plain iframe.

Starting with this version of edge, I get new errors when the iframe loads and the console says:

Uncaught SecurityError: Failed to read the 'sessionStorage' property from 'Window': The document is sandboxed and lacks the 'allow-same-origin' flag.

The code inside the iframe is trying to save context data to the sessionStorage, this used to work flawlessly in previous versions.

So it seems that this iframe has been sandboxed by Edge although this is not asked by the surrounding webpage.

I could not find any reference to this new behaviour in the release notes. 

 

Thanks for any insights !

1 Reply

Sort By
  • Mks_1973's avatar
    Mks_1973
    Iron Contributor
    Nov 15, 2024

    Try adding the sandbox attribute to your iframe tag with allow-same-origin and other permissions your iframe requires. This may help you regain the ability to use sessionStorage within the iframe.

    <iframe src="your_iframe_src.html" sandbox="allow-same-origin allow-scripts"></iframe>

     

    Visit edge://flags in the Edge browser and search for flags related to iframes or sandboxing.
    (Look for anything experimental that might relate to enhanced sandboxing or security restrictions on iframes. While this may be a temporary fix, you can disable any experimental flags related to iframe security to see if it resolves the issue.)


    Submit feedback directly to the Microsoft Edge team. You can report issues through the Edge feedback tool by navigating to Settings > Help and feedback > Send feedback or by using the keyboard shortcut Alt + Shift + I. Provide as much detail as possible about the issue and how it affects your setup.


    ALTERNATIVE SOLUTION:
    PostMessage API: Use window.postMessage to communicate data between the iframe and the parent window, then store it in sessionStorage on the parent.
    Local Storage in Parent Window: If feasible, store data in localStorage within the parent window and pass the data to the iframe when needed.


    Note: This behavior might be an experimental feature in the Dev version, keep an eye on the Edge release notes for future updates.

Resources