New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 770271 link

Starred by 5 users
Status: Assigned
Owner:
lazyboy@chromium.org
Cc:
lazyboy@chromium.org
sc00335...@techmahindra.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Chrome extension blocks loading external script in sandbox page

Reported by kts...@gmail.com, Sep 29 2017 
Chrome Version       : 61.0.3163.100
OS Version: OS X 10.12.6
URLs (if applicable) : Not applicable
Other browsers tested: Not applicable

What steps will reproduce the problem?
1. Setup a chrome extension using the manifest, eventpage and sandbox page attached.
2. Load the extension and inspect the background page.
3. Check the loading status of the external script in the sandbox page.

What is the expected result?
The external script in the sandbox page should load.

What happens instead of that?
The external script in the sandbox page is blocked.

Please provide any additional information below. Attach a screenshot if
possible.

I am basically following these two documentations:

https://developer.chrome.com/extensions/sandboxingEval https://developer.chrome.com/extensions/manifest/sandbox

So looks like this is not allowed according to the doc:

"Starting in version 57, Chrome will no longer allow external web content (including embedded frames and scripts) inside sandboxed pages. Please use a webview instead"

"Also, the CSP you specify may not allow loading external web content inside sandboxed pages."

The doc asks me to use webview but webview is only available in Chrome App. Next I upload sandbox.html into a cdn and replace it in the eventpage.html. The external script loads this time, probably because that external page doesn't have the CSP blocking the script.

I don't understand why the same script is blocked when used in sandbox.html in the extension but not when sandbox.html is loaded from an external domain. I know it's because of CSP, but why do Chrome decided to block it this way.

This change is probably added in this commit:
https://codereview.chromium.org/2563843002

It doesn't say why it's changed too. At the bottom of the thread, it says it only applies to chrome app, but that's not true, the change apply to both app and extension.

UserAgentString: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
manifest.json
324 bytes View Download
eventpage.html
117 bytes View Download
sandbox.html
169 bytes View Download

Comment 1 by meh...@chromium.org, Sep 29 2017

Cc: lazyboy@chromium.org
Components: Platform>Extensions Internals>Sandbox>SiteIsolation
+lazyboy@ from the mentioned CL in comment#0.

Comment 2 by sc00335...@techmahindra.com, Oct 4 2017

Cc: sc00335...@techmahindra.com
Labels: Needs-Triage-M61 Needs-Feedback Triaged-ET
Unable to reproduce this issue on reported version 61.0.3163.100 and on latest canary 63.0.3232.0 using Mac 10.12.6 with steps mentioned below.

1.Downloaded all files attached and saved in one folder.
2.Enabled developer mode in chrome://extensions and opened that bug by dragging folder to it.
3.Now clicked on eventpage.html and observed only Sandbox.html

In M57[57.0.2950.0] in addition to sandbox.html we are also seeing ajv.min.js file as well. -- Attaching screenshot for reference.

@Reporter: Could you please let us know whether this is the expected behaviour? Else could you please attach a screenshot of what is expected.
Issue 770271 M57 and M61 behaviour.png
216 KB View Download

Comment 3 by kts...@gmail.com, Oct 4 2017 

No your screenshot is not what I see. Attaching a screenshot of what's expected.
Screen Shot 2017-10-04 at 8.48.06 AM.png
310 KB View Download
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 4 2017

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "sc00335628@techmahindra.com" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by krajshree@chromium.org, Oct 5 2017

Labels: -Type-Bug -Pri-3 hasbisect-per-revision M-63 OS-Linux OS-Windows Pri-1 Type-Bug-Regression
Owner: lazyboy@chromium.org
Status: Assigned (was: Unconfirmed)
Able to reproduce the issue on Windows 10, Ubuntu 14.04 and Mac 10.12.6 using chrome stable version #61.0.3163.100 and latest canary #63.0.3232.0.

Bisect Information:
=====================
Good build: 57.0.2970.0	 Revision(441083)
Bad Build : 57.0.2971.0	 Revision(441288)

Change Log URL: 
https://chromium.googlesource.com/chromium/src/+log/b7448a1314f899cd98e8becfccb90241211c13eb..faa3e9c3de15cf738fac0bc21406f2af3cc424c7

From the above change log suspecting below change
Review URL: https://codereview.chromium.org/2563843002

lazyboy@ - Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks...!!

Comment 6 by ligim...@chromium.org, Dec 14 2017 

krajshree@ is this still reproducible?

Comment 7 by nicetabs...@gmail.com, Feb 17 2018 

This is very reproducible.

Just make a Chrome Extension with a sandboxed HTML file that loads any script from an external URL. The message I get in my background page's console is:

"Refused to load the script '[URL HERE]' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval'"."

When will this be fixed, or when will we have an answer as to whether or not this was an intentional change?

Comment 8 by nasko@chromium.org, Feb 21 2018

Components: -Internals>Sandbox>SiteIsolation

Sign in to add a comment