December 4, 2015

How to know if a page loaded via iframe is within sandbox?

Layke’s Question:

I’m trying to detect if a page is loaded via a sandboxed iframe. Is this possible?

For example,we provide custom embeddable widgets and some people think they are being smart by sandboxing them in their iframe, but this breaks certain things.. such as

Obviously, they could enable the features we need, but ideally, I should be able to just do something like:

"sandbox" in

I have also tried doing

try {
    // do something that would not work if within sandbox
} catch(e) {


But this doesn’t work because it’s a browser security error, and not related to javascript.

JSFiddle actually sandbox their iframes to prevent navigation, so this would be a good example to show you.
If you look at this example here:

You can see the error when you press the Instant Book Online button.

enter image description here

A project sandblaster can help you detect if you running being sandboxed.

Inside the iframe where you are testing if it is sandbox, open up your script tag and paste the contents of This is due to the security issue.

After this, its as simple as the following.

var result = sandblaster.detect();
if(result.sandboxed === true) {

Here is a demo I made for another answer but shows that the solution works.

Detect if JavaScript is Executing In a Sandboxed Iframe?

Omninternet’s Question:

I have a product that’s playing a video in Flash (if available), and falls back to HTML5 if Flash isn’t available.

I’m not able to find a way to determine if JavaScript is executing within an Iframe with the “sandbox” attribute, which is necessary for my solution because sandboxed iframes disable all plugins. The sandboxed iframe could be as simple as this:

<iframe src="" sandbox="allow-scripts">

To determine if Flash is enabled, I’m using swfobject’s method of checking navigator.plugins[“Shockwave Flash”].description, which is set even when in a sandboxed iframe. I can load the swf object, but it doesn’t play.

To reproduce this issue, visit, open your chrome inspector and click “Run”. The script on the cross-domain site will pause in the context of the sandboxed iframe.

According to the W3 spec at, there is supposed to be an “active sandboxing flag set” on the document that JavaScript can access (at least that’s how I’m reading the spec). There doesn’t seem to be any flag set on the iframe’s document.

Does anyone have any ideas / solutions on how to detect if JavaScript is executing from within a sandboxed iframe?

A project sandblaster can help you detect if you running being sandboxed.

Sandbox check if itself is framed first and then scans through the attributes of the frame element to detect several information about itself. These includes framed, crossOrigin, sandboxed, sandboxAllowances, unsandboxable, resandboxable, sandboxable.

To detect if itself is sandboxed in our case, it checks if the frame element has an attribute sandbox.

// On below `frameEl` is the detected frame element
try {
  result.sandboxed = frameEl.hasAttribute("sandbox");
catch (sandboxErr) {
  result.sandboxed = null;
  if (typeof errback === "function") {

I tried to replicate your issue and to test if this solution works, I had to paste the script into the window itself due to the security issue.


        //Paste the contents of the script( here

        var result = sandblaster.detect();
        if(result.sandboxed === true) {

Here is a demo: that shows this working.

December 2, 2015

Count Rows in Doctrine QueryBuilder

Acyra’s Question:

I’m using Doctrine’s QueryBuilder to build a query, and I want to get the total count of results from the query.

$repository = $em->getRepository('FooBundle:Foo');

$qb = $repository->createQueryBuilder('n')
        ->where(' = :bar')
        ->setParameter('bar', $bar);

$query = $qb->getQuery();

//this doesn't work
$totalrows = $query->getResult()->count();

I just want to run a count on this query to get the total rows, but not return the actual results. (After this count query, I’m going to further modify the query with maxResults for pagination.)

Something like:

$qb = $entityManager->createQueryBuilder();

$count = $qb->getQuery()->getSingleScalarResult();

For people who are using only Doctrine DBAL and not the Doctrine ORM, they will not be able to access the getQuery() method because it doesn’t exists. They need to do something like the following.

$qb = new QueryBuilder($conn);
$count = $qb->select("count(id)")->from($tableName)->execute()->fetchColumn(0);

Please fill the form - I will response as fast as I can!