Is it possible to alleviate restrictions surrounding a canvas' elements origin-clean flag when inside of a Chrome Extension domain?
389 views
Skip to first unread message
Sean Anderson
Sep 24, 2013, 5:29:05 PM9/24/13
to chromium-...@chromium.org
Hey all,
I have an <iframe> element hosted on a background page. The iframe has a different domain than my chrome extension. I've requested all the necessary permissions to inject JavaScript, HTML and CSS into the iframe. It all works great.
I was hoping to render to my foreground page some of the information in this iframe. I can get access to the iframe from the foreground page via $(chrome.extension.getBackgroundPage().document).find('iframe'). I was hoping to then be able to render a screencap of a video currently residing in the iframe.
However, it appears that the following security restrictions are coming into play: http://www.w3.org/TR/html5/embedded-content-0.html#security-with-canvas-elements
Under normal circumstances, I would consider myself hosed. However, I've already got the full ability to inject and modify everything about the page thanks to elevated permissions from the extension. Did I drop the ball somewhere? Is it possible to interact more heavily with the iframe element through the extension? I suspect even base64 encoding the image data and posting a message back out of the iframe might work, but I continue to encounter security restrictions.
Forgive my naivety! Thank you for reading and let me know if you have any questions/concerns.
Thanks
Sean Anderson
Sep 24, 2013, 6:13:24 PM9/24/13
to chromium-...@chromium.org
As a follow up -- I think I've tracked down the bug in question: https://code.google.com/p/chromium/issues/detail?id=161471#makechanges
It looks like using Chrome permissions to allow for content_script injection doesn't prevent canvas tainting. This is real root cause of the issue. If the canvas wasn't tainted I would be able to post a base64 encoded representation of the image out of the iframe.
Scott Fujan
Sep 24, 2013, 6:22:18 PM9/24/13
to Sean Anderson, Chromium-extensions
But you can add it to permissions to make it work.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/40b6e616-ee56-456c-b94b-0e3423141e44%40chromium.org.--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
Sean Anderson
Sep 24, 2013, 6:27:33 PM9/24/13
to chromium-...@chromium.org, Sean Anderson
Scott,
Mmm. I don't think I can.
My manifest.json looks like:
"permissions": [
"management",
"notifications",
"storage",
"idle",
"webRequest",
"webRequestBlocking",
"*://*.youtube.com/",
],
and I inject my content script when it matches the appropriate iframe:
and I inject my content script when it matches the appropriate iframe:
"content_scripts": [
{
"matches": ["*://*.youtube.com/embed/*"],
"all_frames": true,
"js": ["js/thirdParty/underscore.js", "js/thirdParty/jquery.js", "js/inject/youTubeIFrameInject.js"]
},
I'm unable to access "$('iframe').contents()" from my background page nor am I able to call toDataURL on a 'tainted' canvas element from within my injected content script. The bug posted above highlights the second issue. I have no idea why I am unable to access the contents from my background page, though.
I'm unable to access "$('iframe').contents()" from my background page nor am I able to call toDataURL on a 'tainted' canvas element from within my injected content script. The bug posted above highlights the second issue. I have no idea why I am unable to access the contents from my background page, though.
On Tuesday, September 24, 2013 3:22:18 PM UTC-7, Scott wrote:
But you can add it to permissions to make it work.
On Tue, Sep 24, 2013 at 5:13 PM, Sean Anderson <meo...@gmail.com> wrote:
As a follow up -- I think I've tracked down the bug in question: https://code.google.com/p/chromium/issues/detail?id=161471#makechangesIt looks like using Chrome permissions to allow for content_script injection doesn't prevent canvas tainting. This is real root cause of the issue. If the canvas wasn't tainted I would be able to post a base64 encoded representation of the image out of the iframe.
On Tuesday, September 24, 2013 2:29:05 PM UTC-7, Sean Anderson wrote:Hey all,I have an <iframe> element hosted on a background page. The iframe has a different domain than my chrome extension. I've requested all the necessary permissions to inject JavaScript, HTML and CSS into the iframe. It all works great.I was hoping to render to my foreground page some of the information in this iframe. I can get access to the iframe from the foreground page via $(chrome.extension.getBackgroundPage().document).find('iframe'). I was hoping to then be able to render a screencap of a video currently residing in the iframe.However, it appears that the following security restrictions are coming into play: http://www.w3.org/TR/html5/embedded-content-0.html#security-with-canvas-elementsUnder normal circumstances, I would consider myself hosed. However, I've already got the full ability to inject and modify everything about the page thanks to elevated permissions from the extension. Did I drop the ball somewhere? Is it possible to interact more heavily with the iframe element through the extension? I suspect even base64 encoding the image data and posting a message back out of the iframe might work, but I continue to encounter security restrictions.Forgive my naivety! Thank you for reading and let me know if you have any questions/concerns.Thanks
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
Scott Fujan
Sep 24, 2013, 6:30:03 PM9/24/13
to Sean Anderson, Chromium-extensions
Try "*://*.youtube.com/*"
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/43fd3d39-b3c5-4548-8fb6-49847b0e9788%40chromium.org.
Sean Anderson
Sep 24, 2013, 6:49:55 PM9/24/13
to chromium-...@chromium.org, Sean Anderson
Hey Scott,
I went ahead and added the additional wild-card selector. My permissions now look like:
"permissions": [
"management",
"notifications",
"storage",
"idle",
"webRequest",
"webRequestBlocking",
"*://*.youtube.com/*"
]
I continue to receive the error as highlighted in this screenshot: http://i.imgur.com/1cb6EjG.png
Using the following code-snippet: https://gist.github.com/MeoMix/78edf2bade420c8c4187
I also try to access the contents of my iframe through my background page using the following code snippet:
https://gist.github.com/MeoMix/e12efeb616c8d113dc24
I am able to access the contents of the iframe before it loads, but not after: http://i.imgur.com/R7e524f.png
This just doesn't seem to align with my understanding of Chrome Extension permissions. Does it seem like an issue to you?
Please let me know if I can provide any more information to help resolve the issue. I'd be willing to take a stab at generating a small extension which demonstrates the issue if necessary.
Thanks,
Sean
]
I continue to receive the error as highlighted in this screenshot: http://i.imgur.com/1cb6EjG.png
Using the following code-snippet: https://gist.github.com/MeoMix/78edf2bade420c8c4187
I also try to access the contents of my iframe through my background page using the following code snippet:
https://gist.github.com/MeoMix/e12efeb616c8d113dc24
I am able to access the contents of the iframe before it loads, but not after: http://i.imgur.com/R7e524f.png
This just doesn't seem to align with my understanding of Chrome Extension permissions. Does it seem like an issue to you?
Please let me know if I can provide any more information to help resolve the issue. I'd be willing to take a stab at generating a small extension which demonstrates the issue if necessary.
Thanks,
Sean
Try "*://*.youtube.com/*"
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsubscribe...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/40b6e616-ee56-456c-b94b-0e3423141e44%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
Scott Fujan
Sep 24, 2013, 8:42:34 PM9/24/13
to Sean Anderson, Chromium-extensions
Try loading the canvas in the background
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/db6fb008-6c99-48ea-86a0-09d79b135d49%40chromium.org.
Sean Anderson
Sep 24, 2013, 10:13:55 PM9/24/13
to chromium-...@chromium.org, Sean Anderson
Scott,
The second console.log screenshot I provided, http://i.imgur.com/R7e524f.png , highlights my inability to receive data from the iframe after calling $('iframe').contents(). This only happens once the cross-domain src for the iframe has loaded. Since I can't access the contents of the iframe, I can't get a reference to the <video> element hosted by the iframe. So, I can't copy the image data from outside the iframe onto the canvas if I place the canvas on the background page. Does that make sense? Maybe I am missing something...
Sean
Sean
Hey Scott,
Try "*://*.youtube.com/*"
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/43fd3d39-b3c5-4548-8fb6-49847b0e9788%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
Sean Anderson
Sep 25, 2013, 12:34:04 AM9/25/13
to chromium-...@chromium.org, Sean Anderson
I think YouTube is setting the X-Frame-Options header to SAMEORIGIN which is preventing me from accessing it.
Sean Anderson
Sep 25, 2013, 1:34:47 AM9/25/13
to chromium-...@chromium.org, Sean Anderson
Mmm, nope.
is received when I load up the YouTube iframe player... and then I receive the message right after. Ho hum.
Sean
is received when I load up the YouTube iframe player... and then I receive the message right after. Ho hum.
Sean
PhistucK
Sep 25, 2013, 3:12:25 AM9/25/13
to Sean Anderson, Chromium-extensions
You cannot access the contents of the iFrame using code from the background page, that would violate the cross origin security (if the background page can access the iFrame, the iFrame can also access the background page, which can lead the vulnerabilities in case of a compromised page).
You must use message passing instead.
iframe.contentWindow.postMessage
And listen to the onmessage within the the iFrame using the content script and send back messages using chrome.runtime.sendMessage.
Only the content script is able to access the <canvas> within the iFrame. This is by design.
However, there you hit the second issue - the tainted <canvas> issue.
☆PhistucK
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/2819bce1-da49-45f9-82b6-8f53f9d4e78d%40chromium.org.
Sean Anderson
Sep 25, 2013, 3:19:52 AM9/25/13
to chromium-...@chromium.org, Sean Anderson
PhistucK,
Yep. You got it. That's what I was initially posting about and mentioned the fact that it is acknowledged as a bug: https://code.google.com/p/chromium/issues/detail?id=161471 and I am trying to find out if there are any workarounds for the issue.
Sean
Yep. You got it. That's what I was initially posting about and mentioned the fact that it is acknowledged as a bug: https://code.google.com/p/chromium/issues/detail?id=161471 and I am trying to find out if there are any workarounds for the issue.
Sean
☆PhistucK
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/db6fb008-6c99-48ea-86a0-09d79b135d49%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
PhistucK
Sep 25, 2013, 3:24:57 AM9/25/13
to Sean Anderson, Chromium-extensions
Unfortunately, if the linked issue has no stated workarounds within the comments, I guess there are none.
Also, keep in mind that any workaround that is discovered that does not rely on extension semantics may just be a security issue, which means it would get fixed once it is publicly or privately disclosed, thus it would not be reliable.
☆PhistucK
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/7a6166ef-298a-4e2f-bdee-2ee24bed9e99%40chromium.org.
Scott Fujan
Sep 25, 2013, 10:39:41 AM9/25/13
to PhistucK, Sean Anderson, Chromium-extensions
Yep, it wasn't clear from the beginning of the bug that the problem was specifically within the content script context. If you can't find some url of an image or video to load directly into the background page, then it looks like it won't work for now.
Specifically due to this comment: https://code.google.com/p/chromium/issues/detail?id=161471#c10
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CABc02_Kx9aL7VCBCxnarjeRw6dg8iXYh%3DDjt2Ugf1HvRoFzn5g%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages