Bugfix: match_origin_as_fallback failing to fix content script injection into iframes with sandbox and srcdoc attrs

[mnholtz]

Follow-up to #8922

We've identified setting match_origin_as_fallback in the manifest as a preferred approach to fixing #8921

But neither @fungairino nor @mnholtz were able to replicate a fix locally with the PixieBrix Extension, despite being able to reproduce the fix with a simple reproduction detailed in https://issues.chromium.org/issues/355256366

This implies that there must be something specific to the new version of Chrome and the PixieBrix extension that is preventing the content script injection with these sort of iframes <iframe srcdoc="..." sandbox/>

[fungairino]

We modified the linked manifest.json (https://github.com/pixiebrix/pixiebrix-extension/blob/main/src/manifest.json
) with the following changes (shown in this commit):

changed "matches" to ["<all_urls>"],

added: "match_origin_as_fallback": true

Running our extension on the test page then produces this error in the console:

Blocked script execution in 'about:srcdoc' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

Followed immediately by this log:

Chrome bug https://crbug.com/816121 hit.

If I modify the iframe sandbox attribute to sandbox="allow-scripts", then the content script injects fine.

I posted this on the chrome issue to see what else we can do. https://issues.chromium.org/issues/355256366

[fungairino]

Another dev reported this:

[email protected], adding match_origin_as_fallback works for me in a local copy of PixieBrix from the web store loaded as an unpacked extension. I see PixieBrix in devtools console context switcher under both about:srcdoc frames as well as 3 messages about setRuntimeLogging.

https://issues.chromium.org/issues/355256366#comment11

[mnholtz]

re

[email protected], adding match_origin_as_fallback works for me in a local copy of PixieBrix from the web store loaded as an unpacked extension. I see PixieBrix in devtools console context switcher under both about:srcdoc frames as well as 3 messages about setRuntimeLogging.

I am able to confirm that the content script is loaded in srcdoc + sandbox iframes, but the initialization logic is failing to execute with the following error:

Blocked script execution in 'about:srcdoc' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
Chrome bug https://crbug.com/816121 hit.

Via logging (I can't set breakpoints directly inside the offending iframes), I am able to narrow down the issue to something going wrong in this promise:

pixiebrix-extension/src/contentScript/contentScript.ts

Line 96 in 36a717b

const { init } = await contentScriptPromise;

[twschiller]

Via logging (I can't set breakpoints directly inside the offending iframes), I am able to narrow down the issue to something going wrong in this promise:

@mnholtz it's likely due to how dynamic imports work. We use https://github.com/awesome-webextension/webpack-target-webextension which might be using script tags to inject the modules at runtime

[fungairino]

We have resolved this by modifying the hack to look for these iframe and remove the sandbox attribute. We also hid this behind the "iframe-srcdoc-sandbox-hack" flag.

As a follow-up we have this issue to remove this hack once the related chromium issues are resolved:
#8951

[github-actions]

This issue will be closed in 7 days unless the stale label is removed, or a comment is added to the issue.