Notification permission / push hijack
Call Notification.requestPermission and inspect permission prompts plus later phishing-notification risk.
Behavior by sandbox policy
| Policy | Expected result |
|---|---|
| No sandbox | partial |
sandbox="allow-scripts" | partial |
sandbox="" (strictest) | blocked |
Embed snippet
This snippet uses the dedicated embed page. Paste it into your own service and check rendering or blocking behavior.
<iframe src="https://xss-playground.com/embed/notification-permission?lang=en" title="XSS Playground - Notification permission / push hijack" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Run
// no logs
Explanation
- Modern Chrome/Firefox block notification permission requests from cross-origin iframes. When testing, record HTTPS, user gesture, and whether the request runs in a top-level document.
- The risk is not immediate exfiltration — it is an origin with notification permission being able to send phishing notifications later. Long-lived push also requires a service worker / push subscription flow.
- Do not delegate powerful browser permissions to arbitrary-host iframes. Permission APIs differ by browser, so verify behavior in the browsers you support.