chrome.scripting.executeScript accessing src doc iframes with sandbox attribute

[Michael Dougall]

Howdy!

I'm having problems executing a script inside a sandboxes iframe that uses srcdoc. 

chrome.scripting.executeScript(

{

target: { tabId: tab.id, allFrames: true },

func: () => {

console.log('code executing');

return Promise.resolve();

},

},

async (results) => {

results.forEach(() => {

console.log('got back!');

});

}

);

This works:

```

<iframe srcDoc="<h1>Hello world!</h1>" style={{ position: 'fixed', zIndex: 9999 }} sandbox=""></iframe>

```

This doesn't work:

```

<iframe srcDoc="<h1>Hello world!</h1>" style={{ position: 'fixed', zIndex: 9999 }} sandbox="allow-scripts"></iframe>

```

Is there something needed on my end (or the iframe end) to make this work? Assume removing sandbox is non-negotiable.

Cheers,

Mike

[Patrick Kettner]

Hi Michael,

The origin of an iframe that has a srcdoc is `null`, so it is a different origin than the host page. If you don't have all_urls set in your host_permissions, it would fail. If you have control of the iframe, you could set  allow-same-origin in the sandbox attribute, and that would fix your issue.

patrick

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/794340cb-c331-4573-834c-7f0720003f04n%40chromium.org.

[woxxom]

No, it's a bug.

executeScript by design should use matchOriginAsFallback mode (this is why it is not exposed as a distinct parameter, according to rdevlin who created this API). This mode handles such null origins, by using the ancestor's frame origin.