Allow autofilling iframes like samsclub.com (#16560)

* Allow autofilling iframes like samsclub.com * Add back original checks * Remove unused mock
2025-12-10 13:23:34 +00:00 · 2025-09-26 10:21:28 +02:00
parent 1c823ed9f6
commit 4a9183adc5
2 changed files with 21 additions and 6 deletions
--- a/apps/browser/src/autofill/services/insert-autofill-content.service.spec.ts
+++ b/apps/browser/src/autofill/services/insert-autofill-content.service.spec.ts
@@ -153,7 +153,9 @@ describe("InsertAutofillContentService", () => {

    it("returns early if the script is filling within a sand boxed iframe", async () => {
      Object.defineProperty(globalThis, "frameElement", {
-        value: { hasAttribute: jest.fn(() => true) },
+        value: {
+          getAttribute: jest.fn(() => ""),
+        },
        writable: true,
      });
      jest.spyOn(insertAutofillContentService as any, "userCancelledInsecureUrlAutofill");
--- a/apps/browser/src/autofill/utils/index.ts
+++ b/apps/browser/src/autofill/utils/index.ts
@@ -499,11 +499,24 @@ export function isInvalidResponseStatusCode(statusCode: number) {
 * Determines if the current context is within a sandboxed iframe.
 */
 export function currentlyInSandboxedIframe(): boolean {
-  return (
-    String(self.origin).toLowerCase() === "null" ||
-    globalThis.frameElement?.hasAttribute("sandbox") ||
-    globalThis.location.hostname === ""
-  );
+  if (String(self.origin).toLowerCase() === "null" || globalThis.location.hostname === "") {
+    return true;
+  }
+
+  const sandbox = globalThis.frameElement?.getAttribute?.("sandbox");
+
+  // No frameElement or sandbox attribute means not sandboxed
+  if (sandbox === null || sandbox === undefined) {
+    return false;
+  }
+
+  // An empty string means fully sandboxed
+  if (sandbox === "") {
+    return true;
+  }
+
+  const tokens = new Set(sandbox.toLowerCase().split(" "));
+  return !["allow-scripts", "allow-same-origin"].every((token) => tokens.has(token));
 }

 /**