2

I have a chrome MV3 extension that I am developing locally. Now I have a content script that injects an iframe into a user site. The iframe's html src is a sample.html file whose url we get using chrome.runtime.getURL('/iframeinjector/sample.html')). Now this file links a sample.css & a sample.js as well.

When I declare the iframe.html as web_accessible_resource I am able to import css & js files as well without those files being in web_acesssible_resources.

Expectedly I cant access iframe.html if I dont declare it in web_accessible_resources. so then why am i able to access css/js files without them being declared as web_accessible_resource .

manifest.json

...
"web_accessible_resources": [
{
    "resources": [
        "/iframeinjector/sample.html",
    ],
    "matches": ["<all_urls>"],
    "extension_ids": ["extension_id1234"]
}]
...

contentScript.js

$injectedIframe.setAttribute('id', 'extension-iframe');
$injectedIframe.setAttribute('src', chrome.runtime.getURL('/injectediframe/sample.html'));

sample.html(iframe src)

<html>
  <head>
    <link rel="stylesheet" type="text/css" href="bootstrap/built.min.css"></link>
  </head>
  <body >
    <script type="text/javascript" src="./script.js"></script>
  </body>
</html>

The dist that I am uploading to chrome contains those js & css files. Given the definition of web_accessible_resource I would not expect a resource to be available at all if its not listed as such.

Kritidipto Ghosh
  • 111
  • 6
  • 1
    Because the iframe is a different document with a `chrome-extension://id/` URL, so it has access to everything within this path, i.e. all of the extension's resources. – wOxxOm Jul 12 '23 at 19:10

0 Answers0