Open root0x0 opened 3 years ago
What URL does the iframe load? It doesn't work with data:
but should be fine with any other.
I think is javascript:
I was able to reproduce the behavior described. The sequence of loading a javascript:
URL in an iframe is like this:
<iframe src=about:blank>
javascript:
URLThe content script of Untrusted Types is configured with match_about_blank
so it is injected for <iframe src=about:blank>
, but the navigation happens too fast so the injected JavaScript doesn't have a chance to run.
I'll investigate if it's possible to ensure the JavaScript has run before injecting the meta tag.
Actually forget what I said. It's quite the opposite. Chrome doesn't inject content scripts for <iframe src=javascript:>
.The iframe, since is on the same origin, inherits the parent's CSP settings. Hence it doesn't have a default policy. I'm not sure if it's fixable but I'll keep investigating.
when you browser some websites. which contains an iframe dynamically loaded by javascript. It will throw an error
This document requires 'TrustedScript' assignment.