Doesn't work on JSON endpoints with sandbox CSP

[ngyikp]

Reproduction URLs:

• https://raw.githubusercontent.com/tulios/json-viewer/master/package.json
• or https://untitled-8bobienkqieg.runkit.sh (source code: https://runkit.com/ngyikp/59f56f94648a720012dc14d3)

Both of these URLs have a response header of Content-Security-Policy: sandbox

Tested on user-agents:

• Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36
• Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3252.0 Safari/537.36

Expected result: The JSON viewer should work.

Actual result: Doesn't work at all, page is completely blank, and a console error appears: Blocked script execution in 'https://untitled-8bobienkqieg.runkit.sh/' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

It's a misleading error, the extension's content script does run but halts at one point. I did some investigation and it might be a Chrome bug, setTimeout and setInterval doesn't work in the sandbox CSP, but requestAnimationFrame or requestIdleCallback works.

I tried this patch and it works, there's still some buggy behaviour but at least it's not a white screen anymore.

Another thing with requestAnimationFrame is that only Chrome 24+ has the unprefixed version and the manifest's minimum Chrome version is 21, but I think no one should be using an ancient Chrome anymore :) (replaced with https://github.com/tulios/json-viewer/issues/210)

[psyrendust]

I'm getting the same issue.

[VladimirAlexiev]

https://github.com/tulios/json-viewer/pull/209. If @tulios doesn't merge it soon, I'm switching too.

[ngyikp]

The Chrome bug has been reported by someone else, and fixed in Chrome 68 :) https://bugs.chromium.org/p/chromium/issues/detail?id=811528