iframe-security-test

A platform diagnostic app that probes the Poe app iframe sandbox. Each check tries a potentially dangerous browser operation and reports whether the sandbox blocked it, allowed it, or left the result uncertain.

What you can do

• Run all checks at once with the Run All Tests button, or fire any single probe with its row's Run button.
• See pass/fail at a glance via the BLOCKED / ALLOWED / UNCERTAIN summary counters at the top of the page.
• Probe navigation — window.open, top-frame navigation, form submission, and popups.
• Probe storage and identity — localStorage, sessionStorage, cookies, IndexedDB, and clipboard read/write.
• Probe network, DOM, scripting, and device APIs — fetch, WebSocket, parent/top DOM access, eval, dynamic <script> injection, geolocation, camera, mic, notifications, service workers, and nested iframe embedding via https:, data:, and blob: URIs.

Why this app exists

Poe apps run inside a blob: iframe with allow-scripts allow-forms only — no allow-same-origin, no storage, no top-level navigation. This app is the canonical way to verify those restrictions are still in place after platform changes.