cross-site XHR within sandboxed iframe

[Greg]

Hi,

I'm developing a fairly complex Chrome extension, and we've started attempting to get our code running with manifest_version=2. It's not been a particularly enjoyable process (who enjoys rewriting code and increasing boilerplate?), but I want to thank the Chrome team for being transparent and honest about their decision-making and the timeline for tightening the CSP requirements.

Our main unresolved problem is that our extension performs extensive cross-site XHR / Ajax requests from the background page (to collect metadata from the web for our users). That wouldn't be a problem in itself, but for various reasons, our rather large codebase is built with ExtJS (a large JS framework loaded to the brim with eval() statements). We don't just use it for templating, but also the class system and data-abstraction functionality. As far as I can tell, there's no hope for ExtJS ever being eval-free.

So, we can get ExtJS running within a sandboxed iframe, but the cross-site scripting doesn't work. We're fine using messaging to access the chrome.* APIs from the sandboxed iframe, but it would be quite difficult to start communicating all Ajax requests and responses via messaging.

My question is this: is there any way to be able to both (a) use eval statements and (b) use cross-site XHR within the extension environment? It seems that content scripts have this combination of abilities (with the chrome.* APIs restricted, but cross-site scripting allowed), so I'm holding out a glimmer of hope that it might be possible within the background page as well.

Otherwise, I suppose our only remaining option is to rewrite everything from scratch, without the help of any libraries that use eval...

I imagine many other developers must be going through a similar process (upgrading to m_v=2). If others have any wisdom, guidance or advice to share, don't be shy!

Thanks,

 Greg

[Paolo]

My question is this: is there any way to be able to both (a) use eval statements and (b) use cross-site XHR within the extension environment? It seems that content scripts have this combination of abilities (with the chrome.* APIs restricted, but cross-site scripting allowed), so I'm holding out a glimmer of hope that it might be possible within the background page as well.

 

Have similar issues in  an extension: being able to use cross-domain XHR from a sandboxed extension frame/page would help significantly.

I'd suggest you to open a crbug.com issue with this request and see what happens.

[Greg]

Hi Mike,

Thanks for posting your thoughts. As far as I can tell, cross-site scripting is *not* allowed within a sandboxed iframe, as that is a part of what the sandboxing restricts. I haven't done it, but perhaps you could post a feature request to the chrome bug-tracker asking for an exception to be made to the sandbox security model for this use case.

Our product has users run the ExtJS UI from our website as a standard browser tab, which then communicates via message passing (via a content script loaded into the web-app tab) to the background-page for anything requiring cross-site scripting. We had hoped to use one shared ExtJS-based codebase for both the front-end and background page scripts, but in the end the only workable approach was to split apart the code so we can keep our extension Javascript eval-free.

--greg

On Wednesday, July 25, 2012 8:42:13 AM UTC-4, Michael wrote:

Greg,

Unfortunately, I cannot offer any wisdom, guidance or advice, but I am wondering if I am facing the same issue you have and was hoping you can confirm.  I am trying to create my first extension, diving straight into version 2 manifest because I want to eventually offer my web app as a packaged app.  I am also using extJS.  To get me started I have been trying to create a simple POC packaged app which has a grid and makes a REST call to a public server to populate the grid with data from the JSON returned by the request.  I have  everything running in a sandbox iframe, and have given permission in the manifest to the url processing the request (http://dev.sencha.com/), but I still get the following error:

XMLHttpRequest cannot load http://dev.sencha.com/deploy/ext-4.1.0-gpl/examples/restful/app.php/users?_dc=1343219709757&page=1&start=0&limit=25. Cannot make any requests from null.

Is cross-site scripting not allowed in a iframe, or does it look like I'm I doing something else wrong?

Thanks,

Mike

[Paolo]

I created a request for this "feature", see http://crbug.com/139195

You might want to "star" the issue for more visibility with the developers.

[Paolo]

Our feature request has been already flagged as WontFix; it took few minutes to a chrome developer to come to this conclusion.
The suggestion to me is to completely rewrite my extension and the library I'm using, separating the portion of the code doing cross-origin XHM requests (to the background page) and the code doing inline scriptint or using eval (either get rid of this entirely or use it in a sandboxed iframe/page).

The most irritating part of the discussion is the remark that allowing cross-origin XHR requests only in the background page and allowing inline scripts and eval only in sandboxed iframes/pages *does not actually eliminate any vulnerability*; it only makes it more complicated to program the type of functionality described in the first port of this post, forcing a functionality split and the use of sendMessage.

More and more I'm afraid my extension will be discontinued; too much hassle to fix for no additional features and with no guarantee either that even more stringent breaking changes won't be introduced again in the future :-(