Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#HTMLQuiz what happens (iframe escape)

#HTMLQuiz what happens?

<iframe id=x></iframe>
<script>
x.contentDocument.body.appendChild(x);
</script>
  • wild DOMException appears
  • iframe escapes

https://twitter.com/zcorpan/status/775616491379187712

(The question was about what happens per spec, not what happens in some particular browser engine.)

Correct answer: iframe escapes.

Nothing prevents the iframe element from being moved to its own document (about:blank is same-origin). So the iframe element is removed from its original document.

https://dom.spec.whatwg.org/#dom-node-appendchild

When an iframe is removed from a document, its browsing context disappears. So the child document does not have a browsing context when the iframe element is inserted into it. Therefore the iframe, after the move, does not have a new child browsing context (there's no infinite recursion happening).

When an iframe element is inserted into a document that has a browsing context, the user agent must create a new browsing context, set the element's nested browsing context to the newly-created browsing context, and then process the iframe attributes for the "first time".

When an iframe element is removed from a document, the user agent must discard the element's nested browsing context, if it is not null, and then set the element's nested browsing context to null.

https://html.spec.whatwg.org/multipage/embedded-content.html#the-iframe-element

If the script had saved a reference to the iframe's window, the script would still be able to access it, its document, and the moved iframe element, after the move.

http://software.hixie.ch/utilities/js/live-dom-viewer/saved/4461

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.