chrome.management.setEnabled to disable iframe in extension

[Andrew Grosset]

I have an extension that uses iframes, I would like to specifically prevent an extension from accessing a certain iframe.

In manifest.json I have "permissions": ["management"]

In the js of iframe I have 

document.body.onclick = function(){
chrome.management.setEnabled([extension id], false);
}

I get an error saying chrome.management is undefined.

I think there are some security implications here as even if I launch a sandbox iframe the extension still has access to it. Is there any way to prevent any extension having access to an iframe?

[wOxxOm]

chrome.management can be used only inside an extension script that runs in a context with chrome-extension://id/path URL e.g. the background script, the popup script, or any other page/frame with such a URL. Note that sandboxed frames can't use `chrome` API by definition because they are sandboxes for potentially dangerous code that you don't fully control. If you see chrome.management as undefined it means you're either not using it in the abovementioned contexts (e.g. you do it in a content script) or you didn't reload the extension on chrome://extensions page after editing manifest.json.

Disabling an extension disables it completely in the browser, not just in the iframe, so you should probably use a different approach.

It's unclear how exactly your extension uses iframes, which extension you want to prevent from accessing, what is "accessing" exactly, and how that "certain iframe" is created, so there may be various solutions, but assuming you do it inside a content script my suggestion is to place the target iframe inside your extension's iframe, here's an example for MV2 which can be easily converted to MV3: https://stackoverflow.com/a/24649134.

[Andrew]

Thanks wOxxOm, yes I'm using iframes similar to the stackoverflow example, using manifest version 3.

What alerted me to this issue was another excellent extension called 'AdBlockPlus' (extension id: cfhdojbkjhnklbpkdaibdccddilifddb)

Whenever I (dynamically) build an iframe I noticed the following notification in Chrome Console:

"DevTools failed to load source map: Could not load content for chrome-extension://cfhdojbkjhnklbpkdaibdccddilifddb/browser-polyfill.js.map: System error: net::ERR_FILE_NOT_FOUND"

(obviously  AdBlockPlus forgot to include the js.map file in their extension)

I can build multiple nested iframes (including sandbox type) and the above notification appears for each frame.

I'm beginning to think I'm probably worrying about nothing!

[wOxxOm]

The error message implies that another extension is running inside the iframe, but in my tests it can't happen if you use the answer I've linked properly, so there's probably a mistake in your code or a bug in Chrome. Can you provide the extension (maybe a simplified one) that demonstrates the problem?

[Andrew]

I set up a very basic frames example here: https://testextension1.s3.us-east-1.amazonaws.com/extension_iframe_test.zip

The manifest restricts it to "https://mail.google.com/*" (if you want it to run under another domain you will have to change the 2 "matches" in manifest)

The example loads an iframe within extension and no notification of missing map file.

Within that iframe an external sandbox iframe from amazon s3 can be loaded, when that iframe loads then the missing map file appears.

I suspect this is "normal", it would be great if there was a way to restrict access by extensions to this external iframe.

[wOxxOm]

Ah, what I've tried earlier was embedding the web iframe inside an extension page so evidently Chrome behaves differently depending on the topmost document. I'd say it's a bug - either in Chrome or in the html specification. The expected behavior to me is that the document that contains the iframe must be the deciding factor for the browser to apply security restrictions to the child frame.

[wOxxOm]

To quickly see the difference open your chrome-extension://ID/iframe1.htm in a new tab and load the external frame - it won't run other extensions.

[Andrew]

" The expected behavior to me is that the document that contains the iframe must be the deciding factor for the browser to apply security restrictions to the child frame.  "

Yes, that was exactly what I was expecting (and hoping for!).

I agree that it sounds like a bug, especially since if we're going to sandbox an iframe then we should also expect that extensions are excluded by the sandbox attribute.

Many thanks!