chrome.scripting.executeScript inject code to iframe can not working in MV3

[bolin liao]

Hi：

I want to inject scripts to clear localStorage of iframe, but it not working。

// background.js

```

chrome.webNavigation.getAllFrames({ tabId: sender.tab.id }, async (frames) => {

const frame = frames.find((frame) => frame.url === data.pageUrl);

if (frame) {

await chrome.scripting.executeScript({

target: {

tabId: sender.tab.id,

documentIds: [frame.documentId],

// frameIds: [ frame.frameId ],

},

world: 'MAIN',

injectImmediately: true,

func: () => {

console.log('location.href', location.href, window.localStorage);

window.localStorage.clear();

},

});

sendResponse({ success: true, data: 'clear storage success' });

}

});

}

```

I found that the `func` run in a ISOLATE world, not in iframe excution enviroment, how can i inject code to iframe to interact with iframe excution enviroment, such as `localStorage`、`XMLHttpRequest`

[Jackie Han]

Your code is correct. It runs in Main world, and localStorage is cleared.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/76d78810-f23e-43c5-a7b3-a18fb87e894dn%40chromium.org.

[wOxxOm]

1. Don't use the MAIN world unless absolutely necessary (e.g. extracting variables or accessing a custom API), because it's unsafe and dangerous. The page or another extension may have spoofed the globals like localStorage, so your code won't do anything. The documentation should be fixed to include this warning in every article that mentions the `world` parameter.
2. Debug your code in devtools. Set a breakpoint inside and then inspect the variables.
3. Consider switching to a dedicated API for clearing data: chrome.browsingData

[bolin liao]

Thanks Reply

1. Yes, there are some functions that need to rely on executing code in "MAIN" world In my product, I will try my best to pay attention to security issues
2. localStorage.clear() does not work, it may be a problem with my browser（tpass.xxx.cn is nested into my page through iframe）, I check the localStorage of the devTool，the problem is as follows. what wrong with it?, my browser version is 113.0.5672.126（正式版本） (x86_64),  but it is fine in other browser

3.  chrome.browsingData is a good choice to clear localStorage and cookie,  Is there any good way to set localStorage?

[wOxxOm]

Try removing `world`, you don't need it to clear the storage anyway.

[Jackie Han]

localStorage.clear() does not work. but it is fine in other browser.

I guess the problem is elsewhere, not the code itself. You can test it in a clean environment, for example, in Chrome Canary or create another browser profile without any other extensions.

Also there are some situations/bugs you can't access localStorage, for example:

Issue 971848: Chrome extensions can't access localStorage when browsing a page with disabled cookies

In a sandboxed iframe.

[Patrick Kettner]

> The documentation should be fixed to include this warning in every article that mentions the `world` parameter.

I agree, woxxom. put it on the bug list for the docs site to get this added 

[Jackie Han]

put it on the bug list for the docs site to get this added

Is it an internal bug?

wOxxOm suggested adding a warning about Main world https://github.com/w3c/webextensions/issues/313 (many discussions in this issue). Finally, Rob Wu added it on MDN https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/scripting/ExecutionWorld

[Patrick Kettner]

Yes, this is on the internal bug. That being said, anyone is always welcomed to open a bug on the public facing side.