Closed
Bug 1517017
Opened 5 years ago
Closed 5 years ago
sandbox="allow-same-origin" is necessary to execute a content script in an <iframe>
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1411641
People
(Reporter: dw-dev, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Steps to reproduce:
I have already developed Tile Tabs WE on as a successor to my legacy (XUL/XPCOM) Tile Tabs extension. However, many users still want to be able to display multiple web pages within a single browser window. So, I am currently developing a new add-on (Tile Pages WE) to meet this need. Tile Pages WE is designed to work with both Firefox and Chrome.
Tile Pages WE includes an add-on page (moz-extension://.../container.html) that contains the sandboxed <iframe> elements that contain the web pages to be displayed:
<html id="container">
<head>
</head>
<body>
<iframe id=”webpage1” src=”url1” sandbox>
<iframe id=”webpage2” src=”url2” sandbox>
<iframe id=”webpage3” src=”url3” sandbox>
</body>
</html>
Tile Pages WE needs to execute a content script in each of the <iframes>’s in order to implement some key features (e.g. synchronized scrolling of web pages) .
When using Chrome, this content script executes correctly, without any relaxation of the <iframe> sandbox. However, when using Firefox, this content script only executes if the <iframe> sandbox restrictions are relaxed with ”allow-same-origin”.
I don’t understand why Firefox is behaving differently to Chrome. The Chrome extensions documentation states that: “content scripts are not affected by the page's CSP”. Surely this should also be true for an <iframe> sandbox, which I assume is implemented using the same underlying techniques as a CSP sandbox.
This difference in behaviour between Firefox and Chrome looks like a bug.
I have tried to get a better understanding of what the “allow-same-origin” value is meant to do, but this has proven more difficult than expected:
1. Some references say that “allow-same-origin” treats an <iframe> as if it is from the same origin as the containing document or parent page, and gives access to the parent page data and APIs.
2. Other references say that “allow-same-origin” treats an <iframe> as if it is from the same origin as itself (presumably the origin in the 'src' attribute).
Which is correct, 1 or 2 ?
Actual results:
A content script will not execute in a sandboxed <iframe> unless the sandbox restrictions are relaxed with ”allow-same-origin”.
Expected results:
A content script should execute in a sandboxed <iframe> without any relaxation of the sandbox restrictions.
In any case, surely Firefox and Chrome should behave in the same way.
|
||
Updated•5 years ago
|
Component: Untriaged → DOM: Security
Product: Firefox → Core
|
||
Updated•5 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Thanks for confirming that this bug is a duplicate of Bug 1411641. As mentioned above, I have tried to get a better understanding of what the <iframe> sandbox “allow-same-origin” value is meant to do, but this has proven more difficult than expected: 1. Some references say that “allow-same-origin” treats an <iframe> as if it is from the same origin as the containing document or parent page, and gives access to the parent page data and APIs. 2. Other references say that “allow-same-origin” treats an <iframe> as if it is from the same origin as itself (presumably the origin in the 'src' attribute). So, I have two questions: - Which is correct, 1 or 2 ? - More specifically, if a web page is in a sandboxed <iframe> in an add-on page (moz-extension://.../container.html), does sandbox=“allow-same-origin” give the web page access to the add-on page data and/or to the WebExtension APIs?
Flags: needinfo?(kmaglione+bmo)
|
|
||
Comment 3•5 years ago
|
||
Without allow-same-origin, pages loaded into the iframe are given a unique origin, and cannot access data from other pages which would otherwise have the same origin. With allow-same-origin, they're treated the same as any other page load, in that respect.
Flags: needinfo?(kmaglione+bmo)
Thanks fot the clarification. I have one final question ... I have nearly completed development of my new Tile Pages WE add-on, which is very similar to my original legacy Tile Tabs extension, and I expect Tile Pages WE to be used by quite a lot of people. Tile Pages WE uses <iframe>'s to embed web pages into a (moz:extension:) container page, and because of the possible security risks, I would like an expert to review Tile Pages WE before I submit it for release. Can you suggest someone who could do this review?
Flags: needinfo?(kmaglione+bmo)
|
|
||
Updated•4 years ago
|
Flags: needinfo?(kmaglione+bmo)
You need to log in
before you can comment on or make changes to this bug.
Description
•