Proposal: restrict `content_scripts.all_frames` to specific `main_frame` origins.

[carlosjeurissen]

To reduce the attack surface of content_scripts, I'm proposing to allow authors to restrict content_scripts.all_frames to specific main_frame origins or matches. Imagine it like this:

"content_scripts": [{
  "css": [ "/content-script.css" ],
  "js": [ "/content-script.js" ],
  "matches": [ "https://www.example.com/*" ],
  "all_frames": true,
  "main_frame_origins": [ "<extension_origin>", "www.example.com" ],
}]

This makes sure content-scripts are not changing anything in situations they are not meant to make changes.

Basically the goal here is to only inject content_scripts if and only if the parent frame matches what the author specified.

[xeenon]

I'm confused what that is hardening about content scripts. Is this about requiring the frame to be embedded in only one of the matching main_frame_origins?

[carlosjeurissen]

It's not about making frames embedded-able. Sometimes extensions only want to inject a content_script in a specific sub_frame and not in the main_frame. There are specific websites (any website by default) which can be embedded on another website in an iframe. Thus if an extension wants to inject a content_script in these sub_frames on specific websites, it might open up holes in other websites where this specific sub_frame can also be embedded.