User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0

Steps to reproduce:

Minimal repo: https://github.com/mjbvz/safari-sandbox-link-issue

1. Create an iframe that sets sandbox="allow-same-origin" and loads a file on the same origin as the host page (script should be disabled inside the iframe)
2. Try adding an event listener for clicks inside the iframe:

const iframe = document.querySelector('iframe');
iframe.contentWindow.addEventListener('click', (e) => {
    console.log('Handling click', e);
    e.preventDefault();
});

3. Try clicking on a link inside the iframe

Actual results:

The link is opened inside the iframe and the event listener is never invoked

Expected results:

The event handler should be invoked instead and navigation should be prevented by the listener This is the behavior I see in Chromium based browsers.

I ran into this bug while working on VS Code for the web. The Chrome behavior is useful as it lets us keep scripts disabled for the document while still having custom logic for handling link opening

Hi Matt,
unfortunately I do not have technical skills to reproduce this issue.
I've assigned a component in order to get the dev team involved, who might take a closer look at this and offer some additional info/help.
'Core - Dom: Core & HTML' team: if the component is not relevant please change it to a more appropriate one.

Regards,
Jerónimo.

I can't really say how serious this is, :smaug, do you have an opinion?

The testcase is racy. script element runs before the iframe may have gotten window object for the new page.
I think this is basically about the about:blank handling when creating a new iframe.

Yeah, Olli is right. Adding the event listener to the sandboxed document works for me in my testing. In the original testcase, the content window that the click event listener is added to is just replaced before the click happens.