Skip to content

HTMLIFrameElement.srcdoc - takes trusted types #41459

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hamishwillee merged 10 commits into from
Oct 12, 2025
Merged

HTMLIFrameElement.srcdoc - takes trusted types #41459

Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
e65b315
HTMLIFrameElement.srcdoc - TT updates
hamishwillee Oct 10, 2025
13d606c
Update link from parent
hamishwillee Oct 10, 2025
eaeb1c6
Update files/en-us/web/api/htmliframeelement/srcdoc/index.md
hamishwillee Oct 12, 2025
cde1341
Update files/en-us/web/api/htmliframeelement/srcdoc/index.md
hamishwillee Oct 12, 2025
f8a716c
Update files/en-us/web/api/htmliframeelement/srcdoc/index.md
hamishwillee Oct 12, 2025
e06ff41
Update files/en-us/web/api/htmliframeelement/srcdoc/index.md
hamishwillee Oct 12, 2025
9d286cd
Update files/en-us/web/api/htmliframeelement/srcdoc/index.md
hamishwillee Oct 12, 2025
6d39ad2
Apply suggestion from @hamishwillee
hamishwillee Oct 12, 2025
5c4a4d7
Apply suggestion from @hamishwillee
hamishwillee Oct 12, 2025
298e9f8
Apply suggestion from @hamishwillee
hamishwillee Oct 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Apply suggestion from @hamishwillee
  • Loading branch information
@hamishwillee
hamishwillee authored Oct 12, 2025
commit 5c4a4d79d316c5c1e7edf7ff1b51f2e0889a7c22
2 changes: 1 addition & 1 deletion files/en-us/web/api/htmliframeelement/srcdoc/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ The `srcdoc` property allows absolutely any HTML markup to run in a frame by def
If the frame is not sandboxed using the Content Security Property (CSP) [`sandbox` directive](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/sandbox) (or is sandboxed but includes the [`allow-same-origin`](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/sandbox#allow-same-origin) value) then it will be same-origin with the parent.
This means that the frame will have complete access to the parent DOM and resources, and visa versa.

This is a very significant vector for [Cross-site-scripting (XSS)](/en-US/docs/Web/Security/Attacks/XSS) attacks if potentially unsafe strings provided by a user are injected into a frame without first being sanitized.
This is a significant vector for [Cross-site-scripting (XSS)](/en-US/docs/Web/Security/Attacks/XSS) attacks if potentially unsafe strings provided by a user are injected into a frame without first being sanitized.
Consider the following code where a string of HTML from a user might be passed into a frame that is then added to the document.

```js
Expand Down