Clarify parent-side DOM access with allow-same-origin in <iframe> sandbox

[omidfarhangnia]

MDN URL

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe

What specific section or headline is this issue about?

Attributes > sandbox > allow-same-origin

What information was incorrect, unhelpful, or incomplete?

The current description for the allow-same-origin token within the sandbox attribute is incomplete. It states that omitting it prevents access to "some JavaScript APIs," and the associated footnote for Chrome 70 mentions that "script execution" is blocked without allow-scripts.
This creates an ambiguity: it doesn't clarify that while internal script execution is blocked, the parent document can still interact with the iframe's DOM if allow-same-origin is present. Many developers (including myself) initially assume that allow-scripts is required for any JS-based interaction (like measuring scrollHeight), which is not the case for parent-to-child access.

What did you expect to see?

I expected to see a clear distinction between internal script execution (governed by allow-scripts) and external DOM access from a same-origin parent.
I suggest adding a note to the allow-same-origin section: "Note: Even without allow-scripts, a parent document with the same origin can still access and manipulate the iframe's DOM. allow-scripts only controls scripts running inside the embedded context."

Do you have any supporting links, references, or citations?

This behavior is defined in the HTML Living Standard. According to the specification for the sandbox attribute, the allow-same-origin keyword allows the content to be treated as being from its real origin.
The specification distinguishes between the "sandboxed origin browsing context flag" and the "sandboxed scripts browsing context flag". My issue highlights that lifting the former (via allow-same-origin) is enough for a same-origin parent to bypass the opaque origin restriction for DOM access, independent of the scripts flag.

Do you have anything more you want to share?

Here is a minimal example to reproduce the behavior. It demonstrates that a parent can read the scrollHeight of a sandboxed iframe without allow-scripts, provided allow-same-origin is set.

<iframe id="myIframe" sandbox="allow-same-origin" src="content.html"></iframe>

The confusion: The current MDN footnote regarding Chrome 70 and the general phrasing under sandbox often lead developers to believe that any script-related interaction (including from the parent) requires allow-scripts. Clarifying this would help developers implement the Principle of Least Privilege by not enabling allow-scripts when they only need to measure or style the iframe from the outside.

[Nitij-katiyar-siemens]

Hi maintainers 👋

I’m new to contributing to this project and would love to work on this issue.
I’ve read the contributing guidelines and would appreciate any guidance or confirmation before I start.

Thanks!

[omidfarhangnia]

Hi @Nitij-katiyar-siemens, thanks for your interest in this issue!

I have already submitted a Pull Request (#42649) to address this, as I had the research and a draft ready when I opened the issue. Since it's a small documentation fix, I've gone ahead and handled it.

@mdn/content-maintainers, the PR has passed all linting checks and is ready for your review.

Thanks!