221283 – iframe sandbox prevents extension script event listeners

Bug 221283 - iframe sandbox prevents extension script event listeners

Summary: iframe sandbox prevents extension script event listeners

Status:	RESOLVED DUPLICATE of bug 218086

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Frames (show other bugs)
Version:	Safari 14
Hardware:	Mac (Apple Silicon) macOS 11

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-02-02 12:37 PST by Jeff Johnson
Modified:	2021-02-05 18:06 PST (History)
CC List:	6 users (show)

See Also:

Attachments
Example html document (582 bytes, text/html) 2021-02-02 12:37 PST, Jeff Johnson	no flags	Details
Sample Xcode project (215.74 KB, application/zip) 2021-02-02 12:38 PST, Jeff Johnson	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeff Johnson 2021-02-02 12:37:56 PST

Created attachment 419048 [details]
Example html document

Overview:
If an iframe has the sandbox attribute without allow-script, then Safari web extension event listeners won't get  called in the iframe.

This is contrary to Google Chrome, which does allow extension event listeners in a sandbox iframe. Moreover, Content-Security-Policy script-src 'none' also still allows extension event listeners. So iframe sandbox should only prevent web page script, not extension script.


Steps to Reproduce:
1. Put the attached "index.html" document in /Users/Shared (to avoid Mac TCC issues)
2. cd /Users/Shared
3. /usr/bin/python -m SimpleHTTPServer 8000
4. Build and run the attached sample Xcode project "SandboxTest"
5. Open Safari
6. Select "Allow Unsigned Extensions" from the Develop menu.
7. Open Safari Preferences Extensions pane.
8. Enable the SandboxTest extension.
9. Select "Always Allow on Every Website..."
10. Open http://localhost:8000
11. Open the web inspector console
12. Click inside the sandbox iframe

Actual Results:
[Error] Blocked script execution in 'https://example.org/' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

Expected Results:
[Log] SandboxTest mousedown:  – "H1" (content.js, line 7)

Additional Information:
This bug also affects Safari app extensions and affects Safari 14 on Catalina and Mojave on Intel Macs.

Comment 1 Jeff Johnson 2021-02-02 12:38:25 PST

Created attachment 419049 [details]
Sample Xcode project

Comment 2 Jeff Johnson 2021-02-02 12:44:15 PST

You can see from the console log that the extension content script itself does get run in the sandbox iframe. So it's just the script's event listener that doesn't get called.

Comment 3 Radar WebKit Bug Importer 2021-02-02 14:22:13 PST

<rdar://problem/73898565>

Comment 4 Smoley 2021-02-05 18:06:30 PST


*** This bug has been marked as a duplicate of bug 218086 ***