Remote scripts in sandbox pages

[extension_tester]

Could someone please clarify about this article: https://developer.chrome.com/docs/extensions/mv3/manifest/sandbox/

It says "Starting in version 57, Chrome will no longer allow external web content (including embedded frames and scripts) inside sandboxed pages. Please use a webview instead."  

However, this issue (https://bugs.chromium.org/p/chromium/issues/detail?id=1220994) suggests that sandbox CSP should allow remote scripts.

Are these different things? 

[Ibrahim]

This means that you cannot embed js files from external domains or create iframes that point to an external website. Chrome will block these requests.

But you can use eval() function to evaluate remote js code.

[wOxxOm]

They accidentally disabled remote scripts for sandbox pages in Chrome 57 as reported in https://crbug.com/1220994. It's unclear so far whether this restriction will be lifted for MV3, but I'm not sure about that as MV3 disables remote scripts by design.

[Michael Cann]

Sigh. I wasted a day on this exact issue yesterday trying to get Stripe to load in a sandbox page :(

[Simeon Vincent]

Just popping in to confirm that the inability to modify sandbox page CSP is a bug. I've also updated crbug.com/1220994 with a minimal reproduction to assist with investigations.

If this issue is affecting your extension, please reply to this thread with a brief note on the features or functionality it's preventing you from using. This information will help us determine the relative priority of the bug. 

Simeon - @dotproto

Chrome Extensions DevRel

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/9dc729ea-2d2c-4a8a-a5aa-c7043965522bn%40chromium.org.

[Hans R.]

Our extension, AutoControl, is affected by this bug.

We provide a scripting API that allows our users to write their own scripts to extend the functionality of the extension.

One of the functions in this API allows to import JS module files (documented here). This works in content scripts but it does not work in sandboxed pages due to the aforementioned bug. Therefore that specific function in the API will sometimes work and sometimes not work. It depends on whether the user chooses to run the script in a webpage or as a background script.

We reported this issue years ago here https://crbug.com/1058208, but it hasn't received any attention at all.

On a related note, as the end of Manifest V2 approaches quickly, it looks like it won't be possible to run dynamic scripts at all by next year. We asked about this in 2020 and it was said that Manifest V3 would allow this functionality, but unfortunately that never came to be true.

We've halted all efforts to innovate in this area as all indicates that we'll have to remove the entire scripting functionality from our extension.

Even if MV3 allowed dynamic scripts eventually, it'll be too late for a seemless transition from MV2 to MV3 as we require significant amount of beta-testing in order to ensure the reliability of the new functionality. This cannot be achieved in a couple of months.