Allow autofilling iframes like samsclub.com (#16560)

* Allow autofilling iframes like samsclub.com

* Add back original checks

* Remove unused mock

apps/browser/src/autofill/services/insert-autofill-content.service.spec.ts

@@ -153,7 +153,9 @@ describe("InsertAutofillContentService", () => {
 
     it("returns early if the script is filling within a sand boxed iframe", async () => {
       Object.defineProperty(globalThis, "frameElement", {
-        value: { hasAttribute: jest.fn(() => true) },
+        value: {
+          getAttribute: jest.fn(() => ""),
+        },
         writable: true,
       });
       jest.spyOn(insertAutofillContentService as any, "userCancelledInsecureUrlAutofill");

apps/browser/src/autofill/utils/index.ts

@@ -499,11 +499,24 @@ export function isInvalidResponseStatusCode(statusCode: number) {
  * Determines if the current context is within a sandboxed iframe.
  */
 export function currentlyInSandboxedIframe(): boolean {
-  return (
+  if (String(self.origin).toLowerCase() === "null" || globalThis.location.hostname === "") {
-    String(self.origin).toLowerCase() === "null" ||
+    return true;
-    globalThis.frameElement?.hasAttribute("sandbox") ||
+  }
-    globalThis.location.hostname === ""
+
-  );
+  const sandbox = globalThis.frameElement?.getAttribute?.("sandbox");
+
+  // No frameElement or sandbox attribute means not sandboxed
+  if (sandbox === null || sandbox === undefined) {
+    return false;
+  }
+
+  // An empty string means fully sandboxed
+  if (sandbox === "") {
+    return true;
+  }
+
+  const tokens = new Set(sandbox.toLowerCase().split(" "));
+  return !["allow-scripts", "allow-same-origin"].every((token) => tokens.has(token));
 }
 
 /**