SharedArrayBuffer inside Chrome Extension Sandboxed iFrame

Question

I am trying to use SharedArrayBuffer by setting up a document that is cross-origin isolated. However since it is in a Google Chrome extension and I need WebAssembly, I need to run this inside a sandboxed page.

I have a sandboxed page which is defined as such in my manifest.json

{
    ...
    "sandbox": {
        "pages": ["sandbox.html"]
    },
    "content_security_policy": {
        "sandbox": "sandbox allow-scripts; script-src 'self' 'wasm-eval'; script-src-elem 'self' 'wasm-eval' blob:; worker-src 'self' blob:"
    },
    "cross_origin_embedder_policy": {
        "value": "require-corp"
    },
    "cross_origin_opener_policy": {
        "value": "same-origin"
    },
    ...
}

and I have also enabled cross-origin isolation with COOP and COEP.

The sandbox.html does nothing except use this script:

window.addEventListener('load', () => {
    const thing = document.createElement('h1');
    thing.innerHTML = self.crossOriginIsolated ? 'GOOD am crossOriginIso' : 'BAD am not crossOriginIso';
    document.body.appendChild(thing);
});

Then I have a page outer.html which embeds sandbox.html in an iFrame.

<iframe src="sandbox.html" allow="cross-origin-isolated"></iframe>

When I open outer.html, I get the message "BAD am not crossOriginIso", ie the sandbox.html document inside the iFrame is not cross-origin isolated (and I cannot use SharedArrayBuffer).

Is there a way to enable cross-origin isolation in a Chrome extension with manifest v3 in an iFrame where the inner document is sandboxed (through manifest.json).

Perhaps more specifically, how does one add more featurePolicy.allowedFeatures() to a sandbox iFrame (which is sandboxed in the Chrome extension's manifest.json, not with the sandbox attribute).

I have noted the following things:

Opening sandbox.html directly without the iFrame, the page is cross-origin isolated.
Removing the sandbox attribute in manifest.json results in the document inside the iframe to be cross-origin isolated.
Executing document.featurePolicy.allowedFeatures() inside the iFrame gives a very small list of features (and doesn't include cross-origin-isolated). This list is a lot smaller than executing the same command when opening sandbox.html directly.

Miao Zhuang · Answer 1 · 2022-07-01T09:07:21.070

0

In chrome 103, manifest v3, that works well

 "content_security_policy": {
    "extension_pages": "default-src 'self' 'wasm-unsafe-eval';style-src 'unsafe-inline' 'self' "
  },
  "cross_origin_embedder_policy": {
    "value": "require-corp"
  },
  "cross_origin_opener_policy": {
    "value": "same-origin"
  },

don't use sandbox to run ffmpeg.wasm, SharedArrayBuffer is not available in sandbox

edited Jul 01 '22 at 09:07

answered Jul 01 '22 at 09:06

Miao Zhuang

1
1

SharedArrayBuffer inside Chrome Extension Sandboxed iFrame

1 Answers1