[Webkit-unassigned] [Bug 221283] New: iframe sandbox prevents extension script event listeners

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Feb 2 12:37:56 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=221283

            Bug ID: 221283
           Summary: iframe sandbox prevents extension script event
                    listeners
           Product: WebKit
           Version: Safari 14
          Hardware: Mac (Apple Silicon)
                OS: macOS 11
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Frames
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: opendarwin at lapcatsoftware.com

Created attachment 419048

  --> https://bugs.webkit.org/attachment.cgi?id=419048&action=review

Example html document

Overview:
If an iframe has the sandbox attribute without allow-script, then Safari web extension event listeners won't get  called in the iframe.

This is contrary to Google Chrome, which does allow extension event listeners in a sandbox iframe. Moreover, Content-Security-Policy script-src 'none' also still allows extension event listeners. So iframe sandbox should only prevent web page script, not extension script.


Steps to Reproduce:
1. Put the attached "index.html" document in /Users/Shared (to avoid Mac TCC issues)
2. cd /Users/Shared
3. /usr/bin/python -m SimpleHTTPServer 8000
4. Build and run the attached sample Xcode project "SandboxTest"
5. Open Safari
6. Select "Allow Unsigned Extensions" from the Develop menu.
7. Open Safari Preferences Extensions pane.
8. Enable the SandboxTest extension.
9. Select "Always Allow on Every Website..."
10. Open http://localhost:8000
11. Open the web inspector console
12. Click inside the sandbox iframe

Actual Results:
[Error] Blocked script execution in 'https://example.org/' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

Expected Results:
[Log] SandboxTest mousedown:  – "H1" (content.js, line 7)

Additional Information:
This bug also affects Safari app extensions and affects Safari 14 on Catalina and Mojave on Intel Macs.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210202/398e8890/attachment.htm>

More information about the webkit-unassigned mailing list