Hey everyone,
I’m currently building an Add-on that runs inside a third-party platform. The add-on is rendered inside a strict iframe with the following sandbox attributes (notably missing allow-popups-to-escape-sandbox and allow-top-navigation):
<iframe sandbox="allow-scripts allow-forms allow-same-origin allow-popups">
I need to initiate a standard OAuth 2.0 flow with a major third-party SaaS provider from within this iframe. This third-party OAuth provider enforces a strict Cross-Origin-Opener-Policy (COOP). Whenever I try to open their Auth URL from within my sandboxed iframe, Firefox and Chrome aggressively blocks the new tab from loading, showing a “Be careful. Something doesn’t look right” (COOP violation) screen.
It seems the new tab inherits the “opaque origin” or navigation taint from the sandboxed iframe, and the provider’s COOP immediately kills the connection.
What I’ve tried so far (and failed):
-
Top-Level Navigation (
target="_top") -
Standard New Tab (
target="_blank" rel="noopener noreferrer") -
Server-Side Redirect (HTTP 307 Proxy)
-
Client-Side HTML Gateway (
<meta refresh>/location.replace) -
The Form Trick (
<form target="_blank" method="GET">)
Has anyone successfully escaped a strict iframe sandbox to perform an OAuth flow with a strict-COOP provider without requiring manual copy/pasting?
Is there some hidden window.open trick, intermediate domain hopping setup, or architecture I’m missing, or am I completely at the mercy of the host platform adding allow-popups-to-escape-sandbox to their iframe?
Any insights or creative suggestions would be highly appreciated!