Clarify parent-to-child DOM access with allow-same-origin #42649
+2
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…dbox Adds a note under the allow-same-origin token explaining that a same-origin parent document can still access and manipulate the iframe's DOM even if allow-scripts is not set. The allow-scripts token only controls script execution inside the embedded document and does not affect parent-to-iframe DOM interactions. Fixes mdn#42633 See: mdn#42633
github-actions
bot
added
Content:HTML
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Contributor
|
Preview URLs |
pepelsbey
approved these changes
Jan 9, 2026
Member
pepelsbey
left a comment
pepelsbey
left a comment
There was a problem hiding this comment.
Looks good! Thank you :)
A minor suggestion below.
| - `allow-same-origin` | ||
| - : If this token is not used, the resource is treated as being from a special origin that always fails the {{Glossary("same-origin policy")}} (potentially preventing access to [data storage/cookies](/en-US/docs/Web/Security/Defenses/Same-origin_policy#cross-origin_data_storage_access) and some JavaScript APIs). | ||
| > [!NOTE] | ||
| > When `allow-same-origin` is present, a same-origin parent document can access and interact with the iframe's DOM even if `allow-scripts` is not set. The `allow-scripts` token only controls script execution within the embedded browsing context and does not affect DOM access from the parent. |
Member
There was a problem hiding this comment.
Suggested change
| > When `allow-same-origin` is present, a same-origin parent document can access and interact with the iframe's DOM even if `allow-scripts` is not set. The `allow-scripts` token only controls script execution within the embedded browsing context and does not affect DOM access from the parent. | |
| > When `allow-same-origin` is present, a same-origin parent document can still access and interact with the iframe's DOM even if `allow-scripts` is not set. The `allow-scripts` token only controls script execution within the embedded browsing context and does not affect DOM access from the parent. |
Just to stress it a little more. What do you think?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a note under the allow-same-origin token explaining that a same-origin parent document can still access and manipulate the iframe's DOM even if allow-scripts is not set. The allow-scripts token only controls script execution inside the embedded document and does not affect parent-to-iframe DOM interactions.
Fixes #42633
Description
Clarifies the distinction between internal script execution within a sandboxed <iframe> and parent-side DOM access. This helps developers understand that allow-same-origin is sufficient for same-origin parent access, and allow-scripts only governs scripts running inside the iframe itself.
Motivation
Many developers assume that allowing scripts inside the iframe (allow-scripts) is required to access or measure DOM properties like scrollHeight from the parent. This PR clears up that misconception, supporting the Principle of Least Privilege by avoiding unnecessary enablement of allow-scripts.
Additional details
Minimal reproducible example:
A same-origin parent can read or manipulate the iframe's DOM without setting allow-scripts.
Related issues and pull requests
Fixes #42633