All geek questions in one place

Links inside iframe (not in popup) do not work

I went through other similar problems to solve this problem, but for some reason, in this case, all solutions do not work.

So here is my question with an example snippet:

I have an html file that looks like this:

<div id="portalRight"> <a target="_blank" href="http://ictforu.com"> <!-- this link works , it opens up another tab --> <ul id="subtabnav"> <li class="datasetTab"> <a href="#">dataset</a> <!-- Click on this will trigger the dataset iframe to be loaded thru a servlet call --> </li> <li class="obsGraphTab" data-bind="css: { disabled: !aekos.subTabViewModel.graphTabsEnabled() }"> <a href="#">Observation Graph</a> </li> ..... </ul> <div id="dataset"> <iframe id="dataset-frame" class="graphiframe" seamless sandbox="allow-same-origin allow-scripts"></iframe> </div> <div id="testViewer"> <iframe id="test-viewer-frame" class="graphiframe" seamless sandbox="allow-same-origin allow-scripts"></iframe> </div> </div>

As you can see, my iframe is not a popup, but appears under the Div element: the contents of the iframe are populated using the servlet when the link is clicked.

My Iframe has base tags (base target = "_ parent") under the iframe heading.

I used a tag to indicate behavior, and the link has target = "_ blank", but my links don't work at all. The same link works outside the iframe.

Iframe example:

 base target="_parent" /base

body content:

 a target="_blank" href="http://ictforu.com" /a

this link does not work, clicks are ignored.

Any help is greatly appreciated.

Sorry there used to be an isseus file with html tags.

Thank you Madhu

+6
source share
1 answer

I can’t explain why the β€œwhy” knows little about the sandbox iframe attribute, but the link opened in a new tab works fine for me when I remove this attribute.

edit:

Looking at it a bit, it seems that you can add the attribute "allow-top-navigation" and then change the link to "target = _parent", and it works, but it still will not work if you leave the target = _blank

Here is some documentation from mozilla

HTML5 sandbox only
If specified as an empty string, this attribute allows additional restrictions on the content that can be displayed in the inline frame. The attribute value can be a list of tokens, separated by spaces, which remove certain restrictions. Valid tokens are:

  • allow-same-origin : allows you to treat the content as having a normal origin. If this keyword is not used, inline content is considered as a unique origin.
  • allow-top-navigation : allows the embedded view context to move (load) content into the top-level view context. If this keyword is not used, this operation is not allowed.
  • allow-forms : allows the inline viewing context to submit forms. If this keyword is not used, this operation is not allowed.
  • allow-scripts : allows the inline viewing context to run scripts (but not create pop-ups). If this keyword is not used, this operation is not allowed.

Note:

  • When an embedded document has the same origin as the main page, it is strongly recommended that you use allow-scripts and allow-same-origin at the same time, as this allows the embedded document to programmatically remove the sandbox attribute. Although accepted, this case is not safer than not using the sandbox attribute.
  • The sandbox as a whole is only minimal help if an attacker can arrange for the display of potentially hostile content in the user's browser outside an isolated iframe . It is recommended that such content be filed from a separate dedicated domain in order to limit potential damage.

There are not many, but here is the link

+7
source

Source: https://habr.com/ru/post/946552/

More articles:


All Articles