Iframe with local src is being blocked

ta32 · February 25, 2023, 1:19am

My extension has an iframe that is trying to load content that is local to the extension eg from: moz-extension://0131fc0f-55c6-43d2-85e2-4a40ec02fb7c/

However, this is being blocked. I noticed this issue is related to: https://bugzilla.mozilla.org/show_bug.cgi?id=792479

However the defect has been closed for 6 years. Has a work around for this been implemented or is there a new API to do this?

This works in chrome but not in Firefox, I don’t see why resources from the extension bundle would be blocked.

stig · February 25, 2023, 6:49am

Hi ta32

Have you tried using web_accessible_resources?:

But in general, you should probably be careful injecting iframes with extension pages into webpages. I don’t remember or know every detail about what’s possible or not - or what could happen. But you should probably also look into stuff like iframe’s sandbox attribute and content_security_policy in the manifest if you haven’t done that already. You don’t want the webpage to get access to the internal webextension API via the iframe.

ta32 · February 27, 2023, 11:35am

Thanks that was a helpful reply, I got the feeling Firefox restricts things differently to chrome…

In the generated background_html

the iframe.html is injected like

<iframe style="position: absolute; display: none; border: 0px none; width: 0px; height: 0px;" id="trezorconnect" src="moz-extension://0131fc0f-55c6-43d2-85e2-4a40ec02fb7c/iframe.html" width="0px" height="0px" frameborder="0"></iframe>

I added “iframe.html” to the web_accessible_resources section

In the chrome extension I see a request in the network tab going to the src.
When the source is remote the iframe is actually loaded in FireFox eg src=“https://connect.trezor.io/8/iframe.html”

I thought it might be because the URI doesn’t use HTTPS?

Not sure why FF allows the remote iframe content to be injected but not from a file that is local.

Note
I removed the script in the iframe.html for troubleshooting purposes

hans_squared · February 27, 2023, 3:27pm

Can you upload a small test extension that demonstrates your problem?

ta32 · March 2, 2023, 10:16am

Hi

Here’s an MRE solution ff_iframe.zip (11.7 KB)

In the background script if you use a remote src the iframe will be loaded. If you switch to a local src the iframe will not be loaded.

I checked I can load the iframe.html manually by going to the URL printed in the src attribute

It should be accessible since I have added the page to:
“web_accessible_resources”: [
“html/iframe.html”
],

If this is an bug I don’t think it will be fixed, because I think MV2 will be phased out even in FF and this kind of thing is not going to be possible in MV3