Case ce-0076 · Scenario scenario-cors-restrictions

CORS restrictions may affect contenteditable in cross-origin iframes

OS: macOS 14.0 Device: Desktop or Laptop MacBook Pro Browser: Safari 17.0 Keyboard: US Status: draft
cors iframe security safari macos

Phenomenon

When a contenteditable element is inside a cross-origin iframe, CORS restrictions may prevent certain operations. Accessing the contenteditable from the parent frame may be blocked, and some editing operations may be restricted.

Reproduction example

  1. Create a page with a cross-origin iframe.
  2. Inside the iframe, create a contenteditable div.
  3. Try to access the contenteditable from the parent frame.
  4. Try to programmatically modify the content.
  5. Observe any CORS-related errors or restrictions.

Observed behavior

  • In Safari on macOS, CORS restrictions apply to cross-origin iframes.
  • Accessing contenteditable content from parent frame may be blocked.
  • Some operations may be restricted due to same-origin policy.
  • Error messages may not be clear.

Expected behavior

  • CORS restrictions should be clearly documented.
  • Or, there should be a standard way to work with cross-origin contenteditable.
  • Error messages should be helpful.

Playground for this case

Use the reported environment as a reference and record what happens in your environment while interacting with the editable area.

Reported environment
OS: macOS 14.0
Device: Desktop or Laptop MacBook Pro
Browser: Safari 17.0
Keyboard: US
Your environment

Use this editable area to reproduce the described case.

Event log
Use this log together with the case description when filing or updating an issue.
0 events
Interact with the editable area to see events here.