Definitively checks whether a local (srcdoc) iframe can run
JavaScript, and whether that tracks the top-level page’s JS policy
The frame below is a local iframe whose document is embedded inline via
srcdoc. That document contains:
<script> that, if it runs, rewrites that line to
“JavaScript is ENABLED in this frame”.The detector is part of the frame itself, so it runs on load with no help from the top-level page. Whatever the frame shows is the definitive answer: the wording only changes if the frame’s own script actually executed. No network request and no arithmetic proxy is involved.
Because this iframe document is local to the embedding page, a browser’s script-blocking policy should apply equally to both contexts.
To test: load this page with JavaScript enabled and confirm the frame reports ENABLED. Then disable JavaScript for this page and reload. If the frame still reports ENABLED with JS disabled, the browser’s JS policy is not correctly propagated to local iframe documents.
The detector runs automatically when the frame loads.
Reloads the frame so the detector runs again.
| Scenario | Frame output | Verdict |
|---|---|---|
| JS enabled | JavaScript is ENABLED in this frame | Expected — JS runs in frame |
| JS disabled (protected) | JavaScript is DISABLED in this frame | Pass — JS policy propagates to iframe document |
| JS disabled (vulnerable) | JavaScript is ENABLED in this frame | Fail — frame JS runs despite top-level JS being off |