DEVHIDE
Login Or Sign up

SharedArrayBuffer inside Chrome Extension Sandboxed iFrame

620 Views Asked by At

I am trying to use SharedArrayBuffer by setting up a document that is cross-origin isolated. However since it is in a Google Chrome extension and I need WebAssembly, I need to run this inside a sandboxed page.

I have a sandboxed page which is defined as such in my manifest.json

{
    ...
    "sandbox": {
        "pages": ["sandbox.html"]
    },
    "content_security_policy": {
        "sandbox": "sandbox allow-scripts; script-src 'self' 'wasm-eval'; script-src-elem 'self' 'wasm-eval' blob:; worker-src 'self' blob:"
    },
    "cross_origin_embedder_policy": {
        "value": "require-corp"
    },
    "cross_origin_opener_policy": {
        "value": "same-origin"
    },
    ...
}

and I have also enabled cross-origin isolation with COOP and COEP.

The sandbox.html does nothing except use this script:

window.addEventListener('load', () => {
    const thing = document.createElement('h1');
    thing.innerHTML = self.crossOriginIsolated ? 'GOOD am crossOriginIso' : 'BAD am not crossOriginIso';
    document.body.appendChild(thing);
});

Then I have a page outer.html which embeds sandbox.html in an iFrame.

<iframe src="sandbox.html" allow="cross-origin-isolated"></iframe>

When I open outer.html, I get the message "BAD am not crossOriginIso", ie the sandbox.html document inside the iFrame is not cross-origin isolated (and I cannot use SharedArrayBuffer).

Is there a way to enable cross-origin isolation in a Chrome extension with manifest v3 in an iFrame where the inner document is sandboxed (through manifest.json).

Perhaps more specifically, how does one add more featurePolicy.allowedFeatures() to a sandbox iFrame (which is sandboxed in the Chrome extension's manifest.json, not with the sandbox attribute).

I have noted the following things:

  • Opening sandbox.html directly without the iFrame, the page is cross-origin isolated.
  • Removing the sandbox attribute in manifest.json results in the document inside the iframe to be cross-origin isolated.
  • Executing document.featurePolicy.allowedFeatures() inside the iFrame gives a very small list of features (and doesn't include cross-origin-isolated). This list is a lot smaller than executing the same command when opening sandbox.html directly.
sandbox chrome-extension-manifest-v3 sharedarraybuffer cross-origin-embedder-policy cross-origin-opener-policy
Original Q&A
1

There are 1 best solutions below

0
On

In chrome 103, manifest v3, that works well

 "content_security_policy": {
    "extension_pages": "default-src 'self' 'wasm-unsafe-eval';style-src 'unsafe-inline' 'self' "
  },
  "cross_origin_embedder_policy": {
    "value": "require-corp"
  },
  "cross_origin_opener_policy": {
    "value": "same-origin"
  },

don't use sandbox to run ffmpeg.wasm, SharedArrayBuffer is not available in sandbox

Related Questions in SANDBOX

Related Questions in CHROME-EXTENSION-MANIFEST-V3

Related Questions in SHAREDARRAYBUFFER

Related Questions in CROSS-ORIGIN-EMBEDDER-POLICY

Related Questions in CROSS-ORIGIN-OPENER-POLICY

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.