Can someone explain the issue behind the rule: "Sandboxed iframes with attributes ‘allow-scripts’ and ‘allow-same-origin’ are not allowed for security reasons."

If I’m reading the docs right, the issue would be only if the host page and iframe page were coming from the same origin:

image734×179 7.05 KB

So why loading iframe inside addon page with a sandbox attribute is a problem?

Can someone help me build a proof of concept that would allow code inside the iframe remove its “sandbox” attribute?
Because as far as I know, the CORS will prevent it:

(async () => {
  /**
   * Proof of concept - removing "sandbox" attribute using javascript running INSIDE the iframe!
   * Execute this code inside addon page - the addon needs to have "<all_urls>" and "webNavigation" permissions.
   * How it works: we will create iframe inside the addon page. Inside it we load "example.com" page and then use "tabs.executeScript" to run code inside the page.
   */
  const iframe = document.createElement('iframe');
  iframe.sandbox = 'allow-scripts allow-same-origin';
  iframe.src = 'https://example.com/';
  document.body.textContent = '';
  document.body.appendChild(iframe);

  await new Promise(resolve => setTimeout(resolve, 1000));
  const tab = await browser.tabs.getCurrent();
  const frames = await browser.webNavigation.getAllFrames({tabId: tab.id});
  browser.tabs.executeScript(tab.id, {
    frameId: frames.at(1).frameId,
    runAt: 'document_idle',
    code: `
      document.body.firstElementChild.style.setProperty('background', 'darkgreen', 'important');   // change background to verify we are injected
      // But this won't work: Error: Permission denied to access property "document" on cross-origin object
      window.top.document.querySelector('iframe').removeAttribute('sandbox');
    `
  });
})();

When the embedded document has the same origin as the embedding page…

I believe that warning only applies if you’re loading the same origin (in your case, another page from the extension) into a sandboxed iframe.

By default, sandbox iframe loaded from any host (including example.com or your own extension) isn’t treated as being same-origin with that host, and thus can’t access cookies and local storage from it. Adding same-origin drops this protection, so if you’re loading a page from your own extension in that iframe, it will now behave as if it’s same origin with the parent, which would enable it to change/remove its own sandbox attribute.

In your example, that is already not possible because you’re loading a different host example.com and the normal Same Origin Policy rules prevent it.

Thank you Tom for the analysis!

So any 3rd party page loaded into iframe can never remove the sandbox attribute, even if it’s set to “allow-same-origin allow-scripts”. Right?

So if this is not a security issue, why is it being enforced as “problem” by addon reviewers team?

I had one addon already removed from the store and a second one is now facing the same issue because of this rule.

I believe this is not a problem when loading 3rd party websites into a frame, but I’m not on the reviews team so can’t really answer that or speak for them.

What is actually your use case, why do (you think) you need that attribute?

These days you can’t really load a modern page into iframe without using allow-same-origin allow-scripts.
Without scripts the page is “dead” and without same-origin the page can’t use same-origin resources - so no fetch nor storage - so again completely broken page.

In my translation addon I load full translator page into iframe (google/deepl/baidu/etc…), so as you can image, page like Google Translate needs scripts and fetch to work, same as any other translation provider.

In my speed dial I load user saved pages into iframe (there is multiple features that use this - “Live dials”, “Crop / Scale”, normal screenshots - all these things need the page to be fully working, some of them are interact with by users).

And as you can imagine, reviewers are not exactly eager to discuss security restrictions…
So all I get is this simple reason, without any further messages:

(which is super frustrating )

Hi juraj.masiar - Did you find any solution of above issue using allow-same-origin allow-scripts in sandbox attribute. My requirement is also the same to load external links inside the iframe.

I don’t have this issue anymore.
After escalating it here, the reviewer approved both of my addons without me removing the sandbox or changing the attributes.
There may be more reviewers that don’t know about it. Try to send them link to this thread.