Latest version breaks injecting content script into sandboxed iframes

[Eduardo Fungairino]

We observed that the latest version of chrome (Google Chrome 127.0.6533.73) prevents our extension's content script from injecting into sandboxed iframes (i.e. iframe with the `sandbox` attribute https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox). We also observe the same behavior in Chromium on version 127.0.6533.17.

You can view this behavior on our testing page: https://pbx.vercel.app/frame-src/. We would expect the content script to be injected 3 times on that page (once for the top-level, once for the normal iframe and once for the sandboxed iframe), but it only occurs twice.

Any advice on how we can work around this issue, or any word from the Chromium team around this behavior?

[Eduardo Fungairino]

We created a chrome issue tracking this regression here: https://issues.chromium.org/issues/355256366

[Eduardo Fungairino]

It seems like this only impacts iframes using the `srcdoc` that also have the `sandbox` attribute. Content scripts are injected without an issue to iframes using the `src` attribute regardless of the `sandbox` attribute.

On Wednesday, July 24, 2024 at 3:17:06 PM UTC-4 Eduardo Fungairino wrote: