Scenario: With an E2E encrypted web application, html/css/js resources are decrypted locally. We want to display them inside a sandboxed iframe.
This POC demonstrates how we envisaged this working:
Note: Firefox nightly helpfully provides the following message: 'An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing.'
Problem: It is not possible to intercept requests inside iframe unless sandbox attribute contains allow-same-origin