New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 816121 link

Starred by 4 users
Status: Assigned
Owner:
iclell...@chromium.org
Cc:
sindhu.chelamcherla@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Page CSP with sandbox blocks chrome-extension:// iframe

Reported by woxxom@gmail.com, Feb 24 2018 
Chrome 64.0.3282.140

==========================

1. unpack and install the attached extension
2. open a page with 'sandbox' in its CSP, for example:
   https://raw.githubusercontent.com/PyvesB/JavAssembly/master/README.md

==========================

Expected: a message box appears that says "Loaded!"

Observed: 1) no message box
          2) devtools console says:
             Blocked script execution in 'chrome-extension://afngaibdclgkoblanmmafidlblbhdohn/inject.html' 
             because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

==========================

Bisect info: 519411 (good) - 519420 (bad)
https://chromium.googlesource.com/chromium/src/+log/87a4dbb1..5cbaaf8a?pretty=fuller
Suspecting r519420 = 5cbaaf8a0fbb6f2ef61fb12f7b461cf8009d985d = https://crrev.com/c/712711 by iclelland@google.com
"Track CSP-set sandbox flags separately from frame owner flags"
Landed in 64.0.3279.0
test-ext-iframe.zip
1.0 KB Download

Comment 1 by woxxom@gmail.com, Feb 24 2018 

Also observed in the current Chrome Canary and latest snapshot builds.

Comment 2 by susan.boorgula@chromium.org, Feb 25 2018

Labels: Needs-Triage-M64

Comment 3 by sindhu.chelamcherla@chromium.org, Feb 26 2018

Cc: sindhu.chelamcherla@chromium.org
Labels: -Type-Bug -Pri-3 Triaged-ET RegressedIn-64 M-64 Target-65 FoundIn-66 Target-66 FoundIn-64 FoundIn-65 Target-64 hasbisect OS-Linux OS-Mac OS-Windows Pri-1 Type-Bug-Regression
Owner: iclelland@google.com
Status: Assigned (was: Unconfirmed)
Able to reproduce this issue on reported version 64.0.3282.140 using Mac 10.13.3,Windows 10 and Ubuntu 14.04.

As per comment#0, suspecting https://chromium-review.googlesource.com/712711 and assigning to respective owner.

@ iclelland: Please help in re-assigning the bug if it is not related to your change. Also adding RB-stable for M-64. Please change if not the case.

Thanks!

Comment 4 by iclell...@chromium.org, Feb 26 2018 

Is the issue here that chrome-extension: urls should be allowed to execute script, even when contained within an otherwise-sandboxed frame?

Comment 5 by iclell...@chromium.org, Feb 26 2018

Owner: iclell...@chromium.org

Comment 6 by woxxom@gmail.com, Feb 27 2018 

The DOM things added by an extension have always been exempted from page CSP. Extensions act on user's behalf and hence must be able to override the author's (site's) intent.

Comment 7 by iclell...@chromium.org, Feb 27 2018 

Thanks for clarifying; I'll take a look.

Comment 8 by woxxom@gmail.com, Mar 11 2018 

Is this a low priority bug due to some internal stats that show the reported use case is rare? I find it a bit sad when the mature sub-system of extensions in Chrome gets rekt by unrelated changes as it makes Chrome look like the competing browsers that just recently started to implement WebExtensions and which have lots of weird quirks and bugs in the supposedly basic parts of the extensions API.

Comment 9 by pyves...@gmail.com, Oct 21 

Has there been any progress on this issue? The regression was introduced all the way back in Chromium 64.0, but unfortunately still seems to be present in recent versions. As highlighted by woxxom is his previous message, I'm also surprised this is a low priority. Developers can no longer rely on iframes in sandboxed pages, this has had a breaking impact on some extensions and as such I also think it should be treated much more seriously.

Sign in to add a comment