Geek Answers Handbook

Chrome app: accessing an isolated sandbox iframe from a parent window

I am using knockoutjs in my Google Chrome application. To be able to use knockout, I have to define the actual application.html as a sandox page and include it as an iframe in a dummy container. The structure of the application is as follows:

- container.html | +-- application.html as iframe | +-knockout and application.js

An iframe is defined as follows:

  <iframe src="application.html" frameborder="0" sandbox="allow-same-origin allow-scripts" ></iframe>

Performance

 document.getElementsByTagName("iframe")[0]

in the container.html validation tool throws the following error.

 Sandbox access violation: Blocked a frame at "chrome-extension://hllbklabnppjkmnngfanldbllljfeaia" from accessing a frame at "chrome-extension://hllbklabnppjkmnngfanldbllljfeaia". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.

How can I access an iframed document from parent?

+4
source share
2 answers

Found a criminal. This is my proxy.js, which is included in the container.html file used as a bridge for passing messages between the iframe application and background.js. The next part is the one that listens for messages created from iframes.

 window.addEventListener("message", function(evt){ console.log(evt); <= this is the problem var iframe = document.getElementById("application").contentWindow; <= not this one if (evt.source == iframe) { return chrome.runtime.sendMessage(null, evt.data); } } );

I did not think that a problem with console.log would cause a problem. Instead, I suspected document.getElem .. line in the document. Since trying to run this code in the application verification window, an error was selected.

But it looks like console.log (the console seems to belong to the container.html area) refers to some internals of the event object that are not meant to be accessed from the iframe area (which explains why I get the same error when checking the console). Removing the console.log line solved this problem for me.

+1
source

Do something like this:

manifest.json

  "sandbox": { "pages": ["my_ui.html"] }

my_ui.html

  <script type="text/javascript" src="knockout-1.2.3.4.js"></script> <script type="text/javascript" src="my_ui.js"></script>

my_ui.js

 this.onSomethingChange = function() { window.top.postMessage( { command: 'please-do-something', myArgument: this.myArgument() }, '*'); };

container.html

  <script type="text/javascript" src="container.js"></script> <iframe id="knockoutFrame" src="my_ui.html"></iframe>

container.js

  window.addEventListener('message', function(event) { var kocw = document.getElementById('knockoutFrame').contentWindow; var anotherContentWindow = // etc. var dest; if (event.source == kocw) { // The knockout iframe sent us a message. So we'll forward it to our // app code. dest = anotherContentWindow; } if (event.source == anotherContentWindow) { // Our app code is responding to the knockout message (or initiating // a conversation with that iframe). Forward it to the knockout code. dest = kocw; } if (dest == null) { console.log('huh?'); } // This makes container.js like a gatekeeper, bouncing valid messages between // the sandboxed page and the other page in your app. You should do // better validation here, making sure the command is real, the source // is as expected for the kind of command, etc. dest.postMessage(event.data, '*'); }

Your expression, β€œI have to define the actual application.html as a sandbox page and include it as an iframe in a dummy container”, is probably not what you wanted. The idea is that the sandbox is the smallest thing possible, a message on the gatekeeper page that checks the messages, and forces the gatekeeper to forward narrow messages to your non-isolated application logic. If you just put everything in the sandbox, you defeat the goal of the sandbox.

Disclaimer: I have not carefully studied this code in terms of security. You want to assume that hostile messages come from the sandbox (or from other sources, for that matter), and are doing everything you can to eliminate this threat.

+2
source

More articles:


All Articles