MV3 sandbox pages with remote scripts

[Jackie Han]

Reference: 

• https://developer.chrome.com/docs/extensions/mv3/manifest/sandbox/
• https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy

MV3 doesn't allow remote scripts. Since Chrome 110, MV3 sandbox pages allow remote scripts. This is the only way to allow remote scripts in extension context.

For security reasons, you can't set "allow-same-origin" in the sandbox directive.

In my test, postMessage("foo", "*") can work, but if you don't specify "*" in the second parameter or use other values, it doesn't work. For example

// in top frame

iframe.contentWindow.postMessage("hello", "*");

// in sandbox iframe

window.parent.postMessage("hello", "*");

I haven't delved into it, but apparently there are some remote scripts that don't work in sandbox mode. For example, youtube iframe players can't work in a sandbox page (in other words, you can't embed youtube video in extension pages).

Jackie Han