Does caja support the src attribute of iframe? I see the iframe tag whitelisted in the whitelist file (html4-elements-whitelist.json) but when I try to run the code that I have shared in this plunker:
https://plnkr.co/edit/dQoxqpZBGTUNe0k1W8QMThe childPage is not fetched at all.
Here is my uriPolicy:
var uriPolicy = {
rewrite: function(uri) {
if(uri.hasDomain(window.location.hostname) && uri.hasPort(window.location.port))
return uri;
return null;
},
fetch: caja.policy.net.fetcher.USE_XHR, // fetch external scripts and css
mitigate: function() {
// can be used to proxy known and mitigated external URLs
return null;
}
};
Also, the generated code for the iframe tag is:
<iframe data-caja-src="./childPage.html"></iframe>
Which seems to be suggesting that the src attribute is not supported. Am I right? Or am I doing something wrong?
Also, the only way I see to put content inside the iframe is to do a document.write inside that iframe.
I just wanted to make sure that Caja does sanitize all content written into the iframe using document.write? As far as I tested it does, but just wanted a confirmation from the creators
Thank you