SharedArrayBuffer inside Chrome Extension Sandboxed iFrame

299 views
Skip to first unread message

Bentley Carr

unread,
Sep 30, 2021, 12:06:18 PM9/30/21
to Chromium Extensions

I am trying to use SharedArrayBuffer by setting up a document that is cross-origin isolated. However since it is in a Google Chrome extension and I need WebAssembly, I need to run this inside a sandboxed page.

I have a sandboxed page which is defined as such in my manifest.json

```json
{
    ...
    "sandbox": {
        "pages": ["sandbox.html"]
    },
    "content_security_policy": {
        "sandbox": "sandbox allow-scripts; script-src 'self' 'wasm-eval'; script-src-elem 'self' 'wasm-eval' blob:; worker-src 'self' blob:"
    },
    "cross_origin_embedder_policy": {
        "value": "require-corp"
    },
    "cross_origin_opener_policy": {
        "value": "same-origin"
    },
    ...
}
```

and I have also enabled cross-origin isolation with COOP and COEP.

The sandbox.html does nothing except use this script:

```javascript
window.addEventListener('load', () => {
    const thing = document.createElement('h1');
    thing.innerHTML = self.crossOriginIsolated ? 'GOOD am crossOriginIso' : 'BAD am not crossOriginIso';
    document.body.appendChild(thing);
});
```

Then I have a page outer.html which embeds sandbox.html in an iFrame.

<iframe src="sandbox.html" allow="cross-origin-isolated"></iframe>

When I open outer.html, I get the message "BAD am not crossOriginIso", ie the sandbox.html document inside the iFrame is not cross-origin isolated (and I cannot use SharedArrayBuffer).

Is there a way to enable cross-origin isolation in a Chrome extension with manifest v3 in an iFrame where the inner document is sandboxed (through manifest.json).

Perhaps more specifically, how does one add more featurePolicy.allowedFeatures() to a sandbox iFrame (which is sandboxed in the Chrome extension's manifest.json, not with the sandbox attribute).

I have noted the following things:

  • Opening sandbox.html directly without the iFrame, the page is cross-origin isolated.
  • Removing the sandbox attribute in manifest.json results in the document inside the iframe to be cross-origin isolated.
  • Executing document.featurePolicy.allowedFeatures() inside the iFrame gives a very small list of features (and doesn't include cross-origin-isolated). This list is a lot smaller than executing the same command when opening sandbox.html directly.
Reply all
Reply to author
Forward
0 new messages