[Bug Report] Meta Quest Browser Sandbox IFrame Requires "allow-same-origin"

Question

Hi Team,&nbsp;Thank for you for hard work! Meta Quest Browser has been awesome to develop with.&nbsp;&nbsp;I'd like to report a bug, or at least an oddity.. I've noticed that the Meta Quest Browser enforces sandboxed IFrames to have "allow-same-origin" be toggled, or else VR content cannot load and with threejs (webxr) specifically, it will crash the browser!&nbsp;This behavior does not happen on Chrome, though I am using a chrome plugin to use "VR" on my local workstation, so its not exactly a 1-to-1 test.&nbsp;&nbsp;To reproduce this issue, create a simple Iframe with threejs/babylonjs webxr content in the srcDoc attribute:&nbsp;This below example WILL work.&nbsp;&nbsp;      &lt;iframe
        scrolling={'no'}
        style={{
          display: 'block',
          border: 'none',
          margin: '0px',
          height: '100vh',
          width: '100vw'
        }}
        sandbox="allow-scripts allow-same-origin" 
        title={scene_uuid}
        srcDoc={sceneJsData}
        hidden={loadingScreenWait}
      /&gt;&nbsp;&nbsp;This below example will NOT work:&nbsp;      &lt;iframe
        scrolling={'no'}
        style={{
          display: 'block',
          border: 'none',
          margin: '0px',
          height: '100vh',
          width: '100vw'
        }}
        sandbox="allow-scripts"
        title={scene_uuid}
        srcDoc={sceneJsData}
        hidden={loadingScreenWait}
      /&gt;&nbsp;&nbsp;Having the sandbox only be allowed "allow-scripts" should be sufficient for webXR.&nbsp; Requiring both "allow-script allow-same-origin" actually breaks sandboxing altogether, because a script with allow-same-origin can break out of its own sandbox, according to MDN:&nbsp;https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe.&nbsp;Bonus points: crash the browser..&nbsp;If you wrap a sandboxed iframe in a sandboxed iframe you can crash the browser with threejs!&nbsp;Example:&nbsp;    &lt;iframe
      title={title}
      src={`/endpoint/with/sandboxedIframe/and/threejs/srcDoc`}
      scrolling={'no'}
      allow="xr-spatial-tracking;fullscreen;camera"
      sandbox="allow-scripts" 
      style={{
        display: 'block',
        border: 'none',
        margin: '0px',
        width: width,
        height: height,
        background: 'black'
      }}
    /&gt;and the srcDoc iframe on the other endpoint&nbsp;      &lt;iframe
        scrolling={'no'}
        style={{
          display: 'block',
          border: 'none',
          margin: '0px',
          height: '100vh',
          width: '100vw'
        }}
        sandbox="allow-scripts"
        title={scene_uuid}
        srcDoc={sceneJsData}
        hidden={loadingScreenWait}
      /&gt;

tnraddatz · Accepted Answer

Hey!You all fixed it! Thank you 🙂-Thomas

Forum Discussion

🚨 This forum is archived and read-only. To submit a forum post, please visit our new Developer Forum. 🚨

[Bug Report] Meta Quest Browser Sandbox IFrame Requires "allow-same-origin"

1 Reply

Quick Links

Other Meta Support

Related Content

Quest 2 - Software Update Required

MCHP Age requirements

Air link missing requirements ethernet connection

This application requires the Windows App Runtime

Applab requirement relating to streaming