Iframes cannot access the main frame’s DOM if the iframe is from a different origin than the main frame, and they never share the same JavaScript execution context, so an iframe can’t access the main frame’s variables etc.
It’s not required that iframes run in a different process, but I think they do at least in Chrome and Firefox if they’re from a different origin. Also, iframes with the sandbox attribute have a number of additional restrictions, which can be individually disabled when needed.
Are iframes really sandboxed in different processes than the main frame? On which browsers?
Iframes cannot access the main frame’s DOM if the iframe is from a different origin than the main frame, and they never share the same JavaScript execution context, so an iframe can’t access the main frame’s variables etc.
It’s not required that iframes run in a different process, but I think they do at least in Chrome and Firefox if they’re from a different origin. Also, iframes with the
sandbox
attribute have a number of additional restrictions, which can be individually disabled when needed.