1

I'm getting the following error when attempting to load a third party wysiwyg editor in a chrome extension.

Sandbox access violation: Blocked a frame at "chrome-extension://cmcjindomengjienigbcldekcfnhfped" from accessing a frame at "null". Both frames are sandboxed and lack the "allow-same-origin" flag.

I initially got a similar error and managed to resolve it by adding the allow-same-origin flag. This resulted in another error which required the allow scripts flag. Below is the current state of the iframe element

<iframe sandbox="allow-same-origin allow-scripts" src="editor.html" width="350" height="350" style="border:none;"></iframe>

The wysiwyg editor creates an iframe dynamically to hold the editor. I'm assuming this might be triggering the second instance of the error. I tried setting the allow-same-origin flag on the created iframe in the sandboxed page but this did nothing.

I could try an alternative but, as this is also a learning adventure I'd love to solve this issue.

EDIT: I tried replacing the dynamically created iframe with a div just to see what would occur. I didn't get the error above, but as expected the code failed when properties relating to the iframe were accessed. This isn't proof that the new iframe is the problem but it could indeed be.

EDIT 2 FWIW, the line below is where the error is thrown

this.e = this.i.contentWindow.document;

where it was previously initialized as

this.i = document.createElement('iframe');
dalevross
  • 510
  • 6
  • 19
  • I managed to find a workaround by taking the code out of sandbox and nixing the unsafe evals. It took some hardcoding and closure but I'll work with that for now. Most of new Function(...) lines had to do with using a dynamic variable name for the editor class. I tried using window[name] but that didn't work so I just used the same instance name I initialized with. Ideally I'd love to know what prevented the embedded iframe from being friendly. – dalevross Jul 14 '13 at 17:45

1 Answers1

2

If you sandbox your iframe, you can't access it's content from outside. You should then use postMessage to communicate between user agents.

By using allow-same-origin and allow-scripts at the same time on an iframe loaded on the same domain allows the iframe to remove the sandbox attribute.

http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox

Setting both the allow-scripts and allow-same-origin keywords together when the embedded page has the same origin as the page containing the iframe allows the embedded page to simply remove the sandbox attribute and then reload itself, effectively breaking out of the sandbox altogether.

Cyril Fluck
  • 1,561
  • 7
  • 9
  • Yeah, I figured out that the problem was me trying to do the impossible. It was technically possible but prevented for a good reason. – dalevross Aug 03 '17 at 16:35