So i just want to sandbox one html file in iframe and it works as long as there is just allow-scripts attribute, but as soon as I add allow-same-origin it stops to work because of this:
Notes about sandboxing: When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all. Sandboxing is useless if the attacker can display content outside a sandboxed iframe — such as if the viewer opens the frame in a new tab. Such content should be also served from a separate origin to limit potential damage. The sandbox attribute is unsupported in Internet Explorer 9 and earlier.From:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
Code of iframe:
<iframe src="index.html" sandbox='allow-scripts allow-same-origin'></frame>
I want allow-same-origin because I want to use same css in iframe as is in index.html.
<!DOCTYPE html> <html lang="en" > <head> <title>Title</title> <script> ... </script> <link rel="stylesheet" href="style.css"> </head> <body> <p class="text-light" id="something">something</p> <button onclick="function1()" class="btn button- gradient">Listen</button> </body> </html>This is HTML file that is in src of iframe and if I do not add allow-scripts, button is not working, by the way it works in chrome flawlessly with sandbox in manifest file. @SLaks – Marko Žlender