1. What is the issue?
The sandbox attribute added for iFrame elements in HTML5 spec renders any frame breaking/busting/killing method null in modern browsers (tested with current version of Chrome & Safari) if the flag allow-top-navigation is not set, even if the flags allow-forms and allow-scripts are present.
2. What I have tried?
-
Any JavaScript method out there, such as
if(top != self)
top.location.replace(location); -
Triggering a submit event on a form
with thetarget="_top"attribute -
Triggering a click event on an
anchor element with thetarget="_top"attribute. In fact, anchor elements with thetarget="_top"attribute are rendered useless. So, a nice message to advice users to take action won’t work either (as shown in this Flickr iFrame example).
3. What I want to achieve?
I want a way to break out of frames on modern browsers, which have implemented the sandbox attribute for iFrames with the flags allow-forms and allow-scripts present?
Seems like they have just given the missing pieces of a puzzle to all black hats with this attribute.
4. What I am not looking for?
I am looking for a solution, which will break out of frames. Not for a solution, which won’t display the site inside frames (such as X-Frame-Options response header) or using CSS to hide the body and such.
I am afraid that you won’t find a solution, as the point of the sandbox is that you can’t break out of it.
If there was a hack to break out, it would be classified as a security issue by the vendor and patched quickly.