Detect if JavaScript is Executing In a Sandboxed Iframe?
I have a product that\'s playing a video in Flash (if available), and falls back to HTML5 if Flash isn\'t available.
I\'m not able to find a way to determine if Java
-
I will consider different kinds of iframes (choose the first case which applies):
Iframes with the sandboxed scripts browsing context flag
That is, iframes with a sandbox attribute which doesn't contain the allow-scripts keyword.
This flag blocks script execution. In particular, you can't use a script to check if the iframe is sandboxed.
Same-origin iframes without the sandboxed origin browsing context flag
That is, same-origin iframes with no sandbox attribute, or same-origin iframes with a sandbox attribute which contains the allow-same-origin and allow-scripts keywords.
In this case, you can use the frameElement global property to access the frame element (returns
nullwhen not used inside an iframe).Once you have a reference to the iframe, you can use hasAttribute or getAttribute to check its sandboxed attribute. There is also the sandboxed property, which should return a
DOMSettableTokenList(old browsers might return a string according to an old spec).Cross-origin iframes without the sandboxed origin browsing context flag
That is, cross-origin iframes with no sandbox attribute, or cross-origin iframes with a sandbox attribute which contains the allow-same-origin and allow-scripts keywords.
In this case, the use of frameElement is blocked:
- According to W3C, it should throw a SecurityError exception. This is implemented by Chrome.
- According to WHATWG, it should return
null. This is implemented by Firefox.
allow-same-originin a cross-origin iframe isn't much useful, consider assuming the iframe isn't sandboxed.Iframes with the sandboxed origin browsing context flag
That is, iframes with a sandbox attribute which doesn't contain the allow-same-origin keyword but contains the allow-scripts keyword.
As in the previous case, the use of frameElement is blocked.
However, you can detect this case because
document.domainwill be the empty string.
Note: Firefox treats data URIs as same-origin, so it's OK. However, Chrome treats them as cross-origin. Then
frameElementdoesn't work anddocument.domainis the empty string regardless of whether the iframe is sandboxed or not. You can check whetherlocation.protocolis'data:'string to detect data URIs.In general, you might try something like
function isSandboxedIframe() { if (window.parent === window) return 'no-iframe'; try { var f = window.frameElement; } catch(err) { f = null; } if(f === null) { if(document.domain !== '') return 'unkown'; // Probably 'non-sandboxed' if(location.protocol !== 'data:') return 'sandboxed'; return 'unkown'; // Can be 'sandboxed' on Firefox } return f.hasAttribute('sandbox') ? 'sandboxed' : 'non-sandboxed'; }讨论(0) -
A project sandblaster can help you detect if you running being sandboxed.
Sandbox check if itself is framed first and then scans through the attributes of the frame element to detect several information about itself. These includes
framed,crossOrigin,sandboxed,sandboxAllowances,unsandboxable,resandboxable,sandboxable.To detect if itself is sandboxed in our case, it checks if the frame element has an attribute
sandbox.// On below `frameEl` is the detected frame element try { result.sandboxed = frameEl.hasAttribute("sandbox"); } catch (sandboxErr) { result.sandboxed = null; if (typeof errback === "function") { errback(sandboxErr); } }I tried to replicate your issue and to test if this solution works, I had to paste the script into the window itself due to the security issue.
<html> <head> </head> <body> <script> //Paste the contents of the script(https://raw.githubusercontent.com/JamesMGreene/sandblaster/master/dist/sandblaster.js) here var result = sandblaster.detect(); if(result.sandboxed === true) { //sandboxed } debugger; </script> </body> </html>Here is a demo: http://jsfiddle.net/Starx/tzmn4088/ that shows this working.
讨论(0)
加载中...
- 热议问题