Re: Chrome extension, writing content into a dynamic iframe created in a sandbox'ed environment

3,422 views
Skip to first unread message

Mike West

unread,
Sep 25, 2012, 4:19:34 AM9/25/12
to chromium-...@chromium.org
Sandboxed frames are forced into a unique origin. The inner iframe inherits the sandbox flags of it's parent, meaning that it too is forced into a unique origin.

postMessage is the right way to do communication between the two frames, but if you're only trying to set the frame's content, you might have luck using the 'srcdoc' attribute to pass in HTML. For example:

    <iframe srcdoc="<html>content goes here</html>">


-mike

On Tuesday, September 25, 2012 3:10:20 AM UTC+2, Lionel Chan wrote:
This is a duplication I have from stackoverflow: http://stackoverflow.com/questions/12561759/chrome-extension-writing-content-into-a-dynamic-iframe-created-in-a-sandboxed

-------------------

  1. I have this application that uses ExtJS library that I will need to run in Chrome extension. I have successfully created my messaging bridge (postMessage), and sandbox'ed the whole application in it, and everything works as usual. ExtJS loaded, application is running.

  2. Then I have this piece of logic where I need to preview a piece of HTML snippets in my ExtJS viewport. I created an iframe in the Panel itself and on afterrender I tried to write the snippet in it. Of the code I use:

    html: '<iframe src="about:blank" style="width:100%;height:100%;border:none;"></iframe>';

    ......

    //p is the panel found in afterrender
    p    .body.down('iframe').dom.contentDocument.write(content);

    Then the error:

    Unsafe JavaScript attempt to access frame with URL about:blank from frame with URL chrome-extension://fcnpmlgapilgclcelfanblpbglmkghbc/core/themes/default/app.html. Domains, protocols and ports must match.

  3. I have tried with postMessage within sandbox to this dynamic iframe but nothing happens. Setting the sandbox attribute in manifest doesn't work either.

Question:

  1. How should one set the manifest to support this kind of use case?
  2. Or is there any better way to preview HTML snippet without using an iframe? Afaik previewing with iframe is the best as it sandboxed the snippet without being messed with parent css.

Note

This piece of code was working fine in manifest v1 but I planned to migrate it to manifest v2. I didn't realize Content Security Policy (CSP) has became that strict.


Screen:

Attached is the draft of what I'm trying to do now. I wanted to write some content into the dynamically created iframe inside my sandbox environment without success. The iframe was loaded with "about:blank" btw. Correct way to do it?

Lionel Chan

unread,
Sep 25, 2012, 5:26:21 AM9/25/12
to chromium-...@chromium.org
Thanks for the reply! I also found out the answer by myself @ http://stackoverflow.com/a/12576500/534862

Yep. It's dirty but postMessage works. srcdoc works like charm too. Wonder what's the status for srcdoc?

Cheers
/Lionel
Reply all
Reply to author
Forward
0 new messages