javascript - 在 <iframe/> 上设置沙箱 ="allow-scripts allow-popups allow-same-origin"是否安全？

Question

我在我的应用程序中动态创建一个 iframe，结果如下所示:

<iframe src="blob:http%3A//localhost%3A9292/0194dfed-6255-4029-a767-c60156f3d359" 
        scrolling="no" sandbox="allow-scripts allow-popups allow-same-origin" 
        name="sandbox" style="width: 100%; height: 100%; border: 0px;"></iframe>

这样的沙箱配置是否安全(特别是允许将 iframe 内容视为来自同一来源)？

Answer 1

正如 Namey 评论的那样，allow-same-origin 将不允许 iframe 被视为与父级同源并且可以安全使用(除非父级和 iframe 共享同源，cf: warning on MDN ).

如 https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/#granular-control-over-capabilities 所述:

The framed document is loaded into a unique origin, which means that all same-origin checks will fail; unique origins match no other origins ever, not even themselves. Among other impacts, this means that the document has no access to data stored in any origin’s cookies or any other storage mechanisms (DOM storage, Indexed DB, etc.).