Microsoft-authentication-library-for-js: msal creates iframe with redundant sandboxing

@DASPRiD This is intentional, as the sandboxing is to prevent the hidden iframe from navigating the top frame (but we still need to allow other scripts to execute in the iframe and need be able to access it programmatically via same-origin).

So is it a bug in the Firefox developer tools console then that it reports this?

An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing.

@DASPRiD Typically, sandboxing is used to isolate 3rd-party websites for scenarios such as when they are used as widgets, for example. In our case, there are only two domains that will rendered inside the hidden iframe: your authority domain (e.g. login.microsoftonline.com) and your website itself. Because we trust both of these domains, were not worried about the iframed page being able to remove its sandbox (esp since the iframed page is only rendered for a brief moment before we parse the response from the url), as we simply want to prevent the iframed page from navigating the top frame.

So that message is definitely meaningful in most situations (i.e. where you are hosting a third-party site that you potentially don't trust by default), but not in our case.

Ah well, that makes sense. It still feels like the message is misleading in that case, since the sandboxing still has an effect, so I'd assume that Firefox should not confuse developers with it. I gonna check with them how they feel about it, thanks for your time :)