dylanmccall
commented
1 year ago I can reproduce that issue as well. It looks like this commit attempted to solve the problem:
https://github.com/h5p/h5p-interactive-book/commit/06eb6ff2dafd5d6aaee40c7808179038a4bbce87
However, it looks like there's a mistake here: https://github.com/h5p/h5p-interactive-book/blob/786c11ca05bf10bfeddac345cecc1967f0a1171a/src/scripts/app.js#L801-L819
It looks like it's assuming that hashWindow.addEventListener() will throw a DOMException if hashWindow is window.top. If the code in the iframe is from a different origin, that is the case. Otherwise, the code in the sandbox is perfectly allowed to add an event listener: it just isn't allowed to change the location.
The obvious fix would be to do whatever the changeHash function is doing inside that addHashListener function, as a way to test that the location is writable (and reset it to a default state). Unfortunately, it looks like setting the hash to its current value is a no-op and won't throw an exception, which is very awkward :/
Uh, is there an established reason why we want to modify window.top's location here? I see this is where that got added, but I don't really follow the rationale: https://github.com/h5p/h5p-interactive-book/commit/21e4076c4c1637d52dc5ec84f2cac1da5075c404.
borovinskiy
Demo: https://demo.elibsystem.ru/node/38675/webfs/index.html
Application try change hash of location, that not allowed for iframe. Browser throws error and page not changing.
Reproduce:
Problem code example:
<iframe src="https://demo.elibsystem.ru/h5p/embed/38674" sandbox="allow-same-origin allow-scripts allow-popups allow-forms" allowfullscreen style="width: 100vw; height: 100vh; border: 0px;"></iframe>Workaround: sandbox="allow-top-navigation"