A reviewer has rejected my addon with the reason: Sandboxed iframes with attributes ‘allow-scripts’ and ‘allow-same-origin’ are not allowed for security reasons.
He also said that I may simply remove the sandbox attribute of the iframe, i.e. make it a normal iframe.
I would argue that this restriction is pointless, and even worse, it makes extensions less secure.
As extensions are protected by the content security policy, only explicit extension scripts may be run and no external or arbitrary scripts are possible. This applies to normal extension pages and normal frames, and sandboxed iframes (even though scripts are allowed) are no different from them.
I am fully aware that a sandboxed iframe with attributes ‘allow-scripts’ and ‘allow-same-origin’ generally means that any script can be run in it, and the script can possibly modify the sandbox attribute, making the whole sandbox breakable. However, as my extension scripts won’t do something as silly as breaking the sandbox, a sandboxed iframe is still more restrictive than a normal iframe, which is not considered unacceptable. As a result, this restriction won’t bring any help on security.
My extension runs scripts in the iframe, and it won’t work without “allow-scripts” and “allow-same-origin”. The point of using a sandboxed iframe instead of a normal iframe is for restricting form submission and top frame navigation (via link etc.). The request of replacing it with a normal iframe will break this protection and introduce security hazards.
As the policy never restrict normal frames, please re-evaluate the rationale and necessity of forbidding sandboxed iframes with attributes ‘allow-scripts’ and ‘allow-same-origin’. Thank you.