Sandbox access violation when using tinyeditor wysiwyg editor in chrome extension

6.3k views Asked by At

I'm getting the following error when attempting to load a third party wysiwyg editor in a chrome extension.

Sandbox access violation: Blocked a frame at "chrome-extension://cmcjindomengjienigbcldekcfnhfped" from accessing a frame at "null". Both frames are sandboxed and lack the "allow-same-origin" flag.

I initially got a similar error and managed to resolve it by adding the allow-same-origin flag. This resulted in another error which required the allow scripts flag. Below is the current state of the iframe element

<iframe sandbox="allow-same-origin allow-scripts" src="editor.html" width="350" height="350" style="border:none;"></iframe>

The wysiwyg editor creates an iframe dynamically to hold the editor. I'm assuming this might be triggering the second instance of the error. I tried setting the allow-same-origin flag on the created iframe in the sandboxed page but this did nothing.

I could try an alternative but, as this is also a learning adventure I'd love to solve this issue.

EDIT: I tried replacing the dynamically created iframe with a div just to see what would occur. I didn't get the error above, but as expected the code failed when properties relating to the iframe were accessed. This isn't proof that the new iframe is the problem but it could indeed be.

EDIT 2 FWIW, the line below is where the error is thrown

this.e = this.i.contentWindow.document;

where it was previously initialized as

this.i = document.createElement('iframe');
1

There are 1 answers

1
Cyril Fluck On

If you sandbox your iframe, you can't access it's content from outside. You should then use postMessage to communicate between user agents.

By using allow-same-origin and allow-scripts at the same time on an iframe loaded on the same domain allows the iframe to remove the sandbox attribute.

http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox

Setting both the allow-scripts and allow-same-origin keywords together when the embedded page has the same origin as the page containing the iframe allows the embedded page to simply remove the sandbox attribute and then reload itself, effectively breaking out of the sandbox altogether.