Injecting javascript into ISOLATED_WORLD_ID_GLOBAL from the browser

331 views
Skip to first unread message

uazo

unread,
Sep 3, 2024, 2:59:02 AMSep 3
to Chromium-dev
Hello, everyone,
maybe my question is a bit strange, but I was wondering why it is not allowed to inject javascript code from the browser into the main world.

Let me explain.
In the API ‘RenderFrameHostImpl::ExecuteJavaScript’, via ‘CanExecuteJavaScript’ it is explicitly required that the page is internal, whereas in ‘ExecuteJavaScriptInIsolatedWorld’ it is not permissible to use world 0.

At first I thought of a security constraint, which I cannot understand, since it is in any case permissible from an isolated world to modify the dom and insert a tag script generated from a data url, which then runs in the general context of the page.

can you help me understand why such a limitation was inserted?

thanks a lot!
Reply all
Reply to author
Forward
0 new messages