Closed Bug 1517017 Opened 11 months ago Closed 11 months ago

sandbox="allow-same-origin" is necessary to execute a content script in an <iframe>

Categories

(Core :: DOM: Security, defect)

64 Branch
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1411641

People

(Reporter: dw-dev, Unassigned, NeedInfo)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0

Steps to reproduce:

I have already developed Tile Tabs WE on as a successor to my legacy (XUL/XPCOM) Tile Tabs extension.  However, many users still want to be able to display multiple web pages within a single browser window.  So, I am currently developing a new add-on (Tile Pages WE) to meet this need.  Tile Pages WE is designed to work with both Firefox and Chrome.

Tile Pages WE includes an add-on page (moz-extension://.../container.html) that contains the sandboxed <iframe> elements that contain the web pages to be displayed:

    <html id="container">
        <head>
        </head>
        <body>
            <iframe id=”webpage1” src=”url1” sandbox>
            <iframe id=”webpage2” src=”url2” sandbox>
            <iframe id=”webpage3” src=”url3” sandbox>
        </body>
    </html>

Tile Pages WE needs to execute a content script in each of the <iframes>’s in order to implement some key features (e.g. synchronized scrolling of web pages) .

When using Chrome, this content script executes correctly, without any relaxation of the <iframe> sandbox.  However, when using Firefox, this content script only executes if the <iframe> sandbox restrictions are relaxed with ”allow-same-origin”.

I don’t understand why Firefox is behaving differently to Chrome.  The Chrome extensions documentation states that: “content scripts are not affected by the page's CSP”.  Surely this should also be true for an <iframe> sandbox, which I assume is implemented using the same underlying techniques as a CSP sandbox.

This difference in behaviour between Firefox and Chrome looks like a bug.

I have tried to get a better understanding of what the “allow-same-origin” value is meant to do, but this has proven more difficult than expected:

1. Some references say that “allow-same-origin” treats an <iframe> as if it is from the same origin as the containing document or parent page, and gives access to the parent page data and APIs.

2. Other references say that “allow-same-origin” treats an <iframe> as if it is from the same origin as itself (presumably the origin in the 'src' attribute). 

Which is correct, 1 or 2 ?
    


Actual results:

A content script will not execute in a sandboxed <iframe> unless the sandbox restrictions are relaxed with ”allow-same-origin”.
    


Expected results:

A content script should execute in a sandboxed <iframe> without any relaxation of the sandbox restrictions.

In any case, surely Firefox and Chrome should behave in the same way.
Component: Untriaged → DOM: Security
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 11 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1411641
Thanks for confirming that this bug is a duplicate of Bug 1411641.

As mentioned above, I have tried to get a better understanding of what the <iframe> sandbox “allow-same-origin” value is meant to do, but this has proven more difficult than expected:

1. Some references say that “allow-same-origin” treats an <iframe> as if it is from the same origin as the containing document or parent page, and gives access to the parent page data and APIs.

2. Other references say that “allow-same-origin” treats an <iframe> as if it is from the same origin as itself (presumably the origin in the 'src' attribute). 

So, I have two questions:

- Which is correct, 1 or 2 ?

- More specifically, if a web page is in a sandboxed <iframe> in an add-on page (moz-extension://.../container.html), does sandbox=“allow-same-origin” give the web page access to the add-on page data and/or to the WebExtension APIs?
Flags: needinfo?(kmaglione+bmo)
Without allow-same-origin, pages loaded into the iframe are given a unique origin, and cannot access data from other pages which would otherwise have the same origin. With allow-same-origin, they're treated the same as any other page load, in that respect.
Flags: needinfo?(kmaglione+bmo)
Thanks fot the clarification.

I have one final question ... 

I have nearly completed development of my new Tile Pages WE add-on, which is very similar to my original legacy Tile Tabs extension, and I expect Tile Pages WE to be used by quite a lot of people.

Tile Pages WE uses <iframe>'s to embed web pages into a (moz:extension:) container page, and because of the possible security risks, I would like an expert to review Tile Pages WE before I submit it for release.

Can you suggest someone who could do this review?
Flags: needinfo?(kmaglione+bmo)
You need to log in before you can comment on or make changes to this bug.