1

I am trying use a feature policy, serial, in my google add-on. I am having difficulty trying to enable this particular feature policy inside an iframe, mainly I believe is because the parent iframes don't have it enabled. Below is what the iframe DOM tree looks like. I don't have access to "sandboxFrame" and "userHtmlFrame" directly, so I cannot change its allowed features. Even if I set 'serial' in the most child iframe, I cannot find the 'serial' feature enabled in its featurePolicy.

<iframe id="sandboxFrame" allow="accelerometer *; ambient-light-sensor *; autoplay *; camera *; clipboard-read *; clipboard-write *; encrypted-media *; fullscreen *; geolocation *; gyroscope *; magnetometer *; microphone *; midi *; payment *; picture-in-picture *; screen-wake-lock *; speaker *; sync-xhr *; usb *; web-share *; vibrate *; vr *" sandbox="allow-downloads allow-forms allow-modals allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts" src="https://...-script.googleusercontent.com/...">
    <iframe id="userHtmlFrame" allow="accelerometer *; ambient-light-sensor *; autoplay 
    *; camera *; clipboard-read *; clipboard-write *; encrypted-media *; fullscreen *; 
    geolocation *; gyroscope *; magnetometer *; microphone *; midi *; payment *; picture- 
    in-picture *; screen-wake-lock *; speaker *; sync-xhr *; usb *; web-share *; vibrate 
    *; vr *" src="/blank" title="">
       <iframe id="myIframe" allow="serial *;" sandbox="allow-forms allow-modals allow-popups allow-presentation allow-same-origin allow-scripts" src="...external website in          
          GitHub Pages">
       ...
       </iframe>
    </iframe>
</iframe>

If anyone acquainted with google add-ons can prove me wrong about anything that would be great. I would appreciate any kind of help.

Thank you.

defaultuser
  • 45
  • 2
  • 5

1 Answers1

3
  1. Yes, you can pass any permission into nested iframe only if parent context has that permission granted.
    Keep in mind that when passing permissions the origin will be changed accordingly, i.e:

<iframe scr='https://example.com' allow="fullscreen 'self'">
// the permission for fullscreen is 'self' (== http://example.com)
// but main thing is this is that iframe HAS that permission, therefore
// it can grant it to any nested context with ANY origin:
<iframe src='https://www.youtube.com' allow="fullscreen https://www.youtube.com">
// will get permission of fullscreen mode for https://www.youtube.com origin
</iframe>
</iframe>

  1. In the parent iframe the serial Feature Policy directive is not specified in the allow='...' attribute. That means this feature is allowed with the default value - 'src'. Therefore parent iframe has implicitly permission for serial, so it can pass it into any nested iframe.

  2. I hear nothing about the serial Feature Policy directive, is it supported?

granty
  • 7,234
  • 1
  • 14
  • 21
  • Re: 2. Then passing serial to the child iframe should be working...yet the permission is not being granted. Any thoughts for why it's doing that? Re: 3. serial is still in experimental stages, but it is supported by a select few browsers. – defaultuser Jun 09 '21 at 17:53
  • If I do document.allowedFeatures(), 'serial' is not included in the list. Yet 'serial' is included in document.features(). Is there any hope of enabling 'serial' in such a situation? – defaultuser Jun 09 '21 at 18:33
  • "'serial' is included in document.features()" - it's mean that `serial` is supported by browser. "If I do document.allowedFeatures(), 'serial' is not included in the list" - means `serial` is not permitted in current browsing context. Maybe top level document disallows it, maybe it's allowed in secure context only (https:). There is not any hope to allow it in nested browsing contexts in this case. – granty Jun 10 '21 at 03:15