#52133: fix: inherit iframe sandbox flags in windows opened on the OpenURL navigation path
Merged
Created: Jun 25, 2026, 4:16:19 PM
Merged: Jun 29, 2026, 11:56:12 AM
5 comments
Target: main
Description of Change
Per the HTML spec, a popup opened from a sandboxed frame must inherit the opener's sandbox flags unless allow-popups-to-escape-sandbox is set. Windows opened through the OpenURLFromTab path (e.g. modifier-clicked links, routed through the internal -new-window event) didn't do this, unlike window.open popups and unlike the same flow in Chrome.
- Resolve the initiating frame from the OpenURLParams source frame;
frame_tree_node_ididentifies the target frame and is unset for these dispositions, so the existing check from #51401 never ran on this path. - When
allow-popups-to-escape-sandboxis absent, pass the initiator's active sandbox flags through-new-windowand apply them asstarting_sandbox_flagswhen the new window's WebContents is created, mirroring whatWebContentsImpl::CreateWithOpenerdoes for renderer-created popups.
When setWindowOpenHandler returns a custom createWindow, the inherited flags apply when the provided webPreferences are forwarded to the created window.
Checklist
- PR description included and stakeholders cc'd
-
npm testpasses - tests are changed or added
- PR title follows semantic commit guidelines
Release Notes
Notes: Windows opened from links inside a sandboxed iframe now inherit the iframe's sandbox restrictions unless allow-popups-to-escape-sandbox is set.
Backports
Semver Impact
Major
Breaking changes
Minor
New features
Patch
Bug fixes
None
Docs, tests, etc.
Semantic Versioning helps users understand the impact of updates:
- Major (X.y.z): Breaking changes that may require code modifications
- Minor (x.Y.z): New features that maintain backward compatibility
- Patch (x.y.Z): Bug fixes that don't change the API
- None: Changes that don't affect using facing parts of Electron