Do iframes with src still work in Caja?

[Tapan Anand]

Does caja support the src attribute of iframe? I see the iframe tag whitelisted in the whitelist file (html4-elements-whitelist.json) but when I try to run the code that I have shared in this plunker: https://plnkr.co/edit/dQoxqpZBGTUNe0k1W8QM

The childPage is not fetched at all.

Here is my uriPolicy: 

var uriPolicy = {

    rewrite: function(uri) {

if(uri.hasDomain(window.location.hostname) && uri.hasPort(window.location.port))

return uri;

return null;

    },

    fetch: caja.policy.net.fetcher.USE_XHR, // fetch external scripts and css

mitigate: function() {

    // can be used to proxy known and mitigated external URLs

    return null;

}

};

Also, the generated code for the iframe tag is: 

<iframe data-caja-src="./childPage.html"></iframe>

Which seems to be suggesting that the src attribute is not supported. Am I right? Or am I doing something wrong?

Also, the only way I see to put content inside the iframe is to do a document.write inside that iframe. 

I just wanted to make sure that Caja does sanitize all content written into the iframe using document.write? As far as I tested it does, but just wanted a confirmation from the creators

Thank you

[Kevin Reid]

On Thu, Mar 23, 2017 at 1:49 AM, Tapan Anand <anandtap...@gmail.com> wrote:

Does caja support the src attribute of iframe? I see the iframe tag whitelisted in the whitelist file (html4-elements-whitelist.json) but when I try to run the code that I have shared in this plunker: https://plnkr.co/edit/dQoxqpZBGTUNe0k1W8QM

The childPage is not fetched at all.

... 

I just wanted to make sure that Caja does sanitize all content written into the iframe using document.write?

Yes, that is all correct. Caja does not implement loading iframe src, but the guest code can create an iframe and manipulate it using document.write or DOM operations, and it is sandboxed just as the outer document is.

[Tapan Anand]

Awesome! Thanks :)