How to programatically remove sandbox attribute from an iframe with javascript

5
votes

I didn't think this was possible, however, i found this quote:

"It is strongly discouraged to use both allow-scripts and allow-same-origin at the same time, as that allows the embedded document to programmatically remove the sandbox attribute."

My iframe needs to have a sandbox, but only when I am browsing in certain URLs where the embedded browsing context tries to navigate (load) content to the top-level browsing context (Jump out of frame...)

On other pages the sandbox needs to be removed entirely, as it wont allow me to browse away from a site with a different origin...

The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.

Programatically changing the sandbox with : 

document.getElementById("frame").sandbox = "";

...doesnt work either as this still places restrictions... Therefore, i need to somehow remove the attribute entirely, how would i go about doing this?

2
javascriptjqueryhtmlgoogle-chrome
I would think you would just need to reset the iframe instead of changing the attribute. that means, delete the iframe and recreate it.Timmerz

2 Answers

6
votes

These flags only take effect when the nested browsing context of the iframe is navigated. Removing them, or removing the entire sandbox attribute, has no effect on an already-loaded page.

More info - Here

0
votes

You can remove the sandbox attribute from the element using iframe.removeAttribute("sandbox") this will make the iframe non-sandboxed for the next content you load into it, not the currently loaded one.