filedescriptor
commented
3 years ago What URL does the iframe load? It doesn't work with data: but should be fine with any other.
Open root0x0 opened 3 years ago
filedescriptor
commented
3 years ago What URL does the iframe load? It doesn't work with data: but should be fine with any other.
root0x0
commented
3 years ago I think is javascript:
filedescriptor
commented
3 years ago I was able to reproduce the behavior described. The sequence of loading a javascript: URL in an iframe is like this:
<iframe src=about:blank>javascript: URLThe content script of Untrusted Types is configured with match_about_blank so it is injected for <iframe src=about:blank>, but the navigation happens too fast so the injected JavaScript doesn't have a chance to run.
I'll investigate if it's possible to ensure the JavaScript has run before injecting the meta tag.
filedescriptor
commented
3 years ago Actually forget what I said. It's quite the opposite. Chrome doesn't inject content scripts for <iframe src=javascript:> .The iframe, since is on the same origin, inherits the parent's CSP settings. Hence it doesn't have a default policy. I'm not sure if it's fixable but I'll keep investigating.
when you browser some websites. which contains an iframe dynamically loaded by javascript. It will throw an error
This document requires 'TrustedScript' assignment.