Skip to content

Clarify parent-to-child DOM access with allow-same-origin #42649

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
omidfarhangnia wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Clarify parent-to-child DOM access with allow-same-origin #42649

omidfarhangnia wants to merge 3 commits into from
+2 −0

Conversation

@omidfarhangnia
Copy link

@omidfarhangnia omidfarhangnia commented Jan 6, 2026

Adds a note under the allow-same-origin token explaining that a same-origin parent document can still access and manipulate the iframe's DOM even if allow-scripts is not set. The allow-scripts token only controls script execution inside the embedded document and does not affect parent-to-iframe DOM interactions.

Fixes #42633

Description

Clarifies the distinction between internal script execution within a sandboxed <iframe> and parent-side DOM access. This helps developers understand that allow-same-origin is sufficient for same-origin parent access, and allow-scripts only governs scripts running inside the iframe itself.

Motivation

Many developers assume that allowing scripts inside the iframe (allow-scripts) is required to access or measure DOM properties like scrollHeight from the parent. This PR clears up that misconception, supporting the Principle of Least Privilege by avoiding unnecessary enablement of allow-scripts.

Additional details

Minimal reproducible example:

<iframe id="myIframe" sandbox="allow-same-origin" src="content.html"></iframe>

A same-origin parent can read or manipulate the iframe's DOM without setting allow-scripts.

Related issues and pull requests

Fixes #42633

@omidfarhangnia
Clarify parent-side DOM access with allow-same-origin in <iframe> san…
9d67c57 
…dbox

Adds a note under the allow-same-origin token explaining that a same-origin parent
document can still access and manipulate the iframe's DOM even if allow-scripts is
not set. The allow-scripts token only controls script execution inside the embedded
document and does not affect parent-to-iframe DOM interactions.

Fixes mdn#42633
See: mdn#42633
@omidfarhangnia omidfarhangnia requested a review from a team as a code owner January 6, 2026 18:06
@omidfarhangnia omidfarhangnia requested review from pepelsbey and removed request for a team January 6, 2026 18:06
@github-actions github-actions bot added Content:HTML Hypertext Markup Language docs size/xs [PR only] 0-5 LoC changed labels Jan 6, 2026
github-actions[bot]
github-actions bot reviewed Jan 6, 2026
View reviewed changes
@omidfarhangnia @github-actions
Update files/en-us/web/html/reference/elements/iframe/index.md
a0eec13 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@omidfarhangnia omidfarhangnia mentioned this pull request Jan 6, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@pepelsbey pepelsbey Awaiting requested review from pepelsbey pepelsbey is a code owner automatically assigned from mdn/web

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Content:HTML Hypertext Markup Language docs size/xs [PR only] 0-5 LoC changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Clarify parent-side DOM access with allow-same-origin in <iframe> sandbox

1 participant

@omidfarhangnia