1988419 - `import()` halts forever in content script in `iframe[sandbox]:not([sandbox~="allow-script"])`

Status: RESOLVED FIXED

(WebExtensions :: General, defect, P2)

Description

[Danny Lin]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0

Steps to reproduce:

1. Create an extension with following files:

   {
     "name": "Test import from content script MV2",
     "version": "0.1",
     "manifest_version": 2,
     "background": {
       "scripts": ["background.js"]
     },
     "content_scripts": [
       {
        "all_frames": true,
        "matches": ["<all_urls>"],
        "js": ["content.js"]
       }
     ],
     "web_accessible_resources": [
       "*.mjs"
     ],
     "browser_action": {}
   }
   

   /* content.js */
   console.log("content", location.href);
   (async () => {
     await import(browser.runtime.getURL("module.mjs"));
   })();
   
   

   /* module.mjs */
   console.log("module imported", location.href);
   

2. Load the extension.

3. Host a website with following files (either with local server or with config security.fileuri.strict_origin_policy = false):

   <!-- index.html -->
   <!DOCTYPE html>
   <iframe src="frame.html" sandbox="allow-same-origin"></iframe>
   

   <!-- frame.html -->
   <!DOCTYPE html>
   frame content
   

4. Open the website and visit index.html.

5. Visit the inspector.

Actual results:

The log has content and module imported for index.html while only content in frame.html.

Expected results:

The log should have content and module imported for index.html and frame.html.

Comment 1

[Danny Lin]

The previous message had some extraneous data, especially for manifest.json. Here is the revised one:

• manifest.json

  {
    "name": "Test import from content script MV2",
    "version": "0.1",
    "manifest_version": 2,
    "content_scripts": [
      {
       "all_frames": true,
       "matches": ["<all_urls>"],
       "js": ["content.js"]
      }
    ],
    "web_accessible_resources": [
      "*.mjs"
    ]
  }
  

• content.js

  console.log("content", location.href);
  (async () => {
    await import(browser.runtime.getURL("module.mjs"));
  })();
  

• module.mjs

  console.log("module imported", location.href);
  

• index.html

  <!DOCTYPE html>
  <iframe src="frame.html" sandbox="allow-same-origin"></iframe>
  

• frame.html

  <!DOCTYPE html>
  frame content
  

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug should belong to the 'WebExtensions::Untriaged' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Comment 3

[Rob Wu [:robwu]]

When I open the global Browser Console or Browser Toolbox and set it to Multiprocess mode, opening index.html in the STR results in the following error:

TypeError: error loading dynamically imported module: moz-extension://486e628d-81a2-499e-abec-77bd6b1cabd9/module.mjs

If I change index.html by adding an iframe with allow-scripts in its sandbox, the script runs as expected. The log output in the Browser Console (Multiprocess) is as follows:

TypeError: error loading dynamically imported module: moz-extension://486e628d-81a2-499e-abec-77bd6b1cabd9/module.mjs
content http://localhost:8000/ content.js:1:9
module imported http://localhost:8000/ module.mjs:1:9
content http://localhost:8000/frame.html content.js:1:9
content http://localhost:8000/frame.html?with-allow-scripts content.js:1:9
module imported http://localhost:8000/frame.html?with-allow-scripts module.mjs:1:9
Unable to find target with innerWindowId:25769803797 3 watcher.js:196:13

(all of these logs, except for the error are also shown in the tab's console.)

Tom, any ideas on what to do here? There are two bugs here:

1. The error is not associated with the devtools of that window (maybe a separate bug?)..
2. Dynamic import fails in a content script running in a frame that is sandboxed without the allow-scripts directive.

Comment 4

[Danny Lin]

(In reply to Rob Wu [:robwu] from comment #3)

Thank you for the feedback. The allow-same-origin was initially used for script-modified iframe related behavior, while it proves to be unrelated and this issue also applies to a simplar case like sandbox="".

Updated the title to better reflect the problem.

Comment 5

[Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi] OOO]

Attachment: Bug 1988419 - No need to check document's CSP for WebExtensions.

Since CanStartLoad() is invoked from JavaScript, the caller can already
execute JS code, making the allow-script check redundant.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:willdurand, could you have a look please?

For more information, please visit BugBot documentation.

Comment 7

[Pulsebot]

Pushed by allstars.chh@gmail.com:
https://github.com/mozilla-firefox/firefox/commit/b5afcc29507d
https://hg.mozilla.org/integration/autoland/rev/225543b1bd63
No need to check document's CSP for WebExtensions. r=robwu

Comment 8

[pstanciu]

https://hg.mozilla.org/mozilla-central/rev/225543b1bd63