[bug] This document requires 'TrustedScript' assignment.

Question

[bug] This document requires 'TrustedScript' assignment.

root0x0 opened this issue 4 years ago · 4 comments

when you browser some websites. which contains an iframe dynamically loaded by javascript. It will throw an error This document requires 'TrustedScript' assignment.

Answer 1 · 2020-11-18T11:29:18.000Z

What URL does the iframe load? It doesn't work with data: but should be fine with any other.

Answer 2 · 2020-11-18T11:52:27.000Z

I think is javascript:

Answer 3 · 2020-11-18T12:30:11.000Z

I was able to reproduce the behavior described. The sequence of loading a javascript: URL in an iframe is like this:

<iframe src=about:blank>
Navigates it to the javascript: URL

The content script of Untrusted Types is configured with match_about_blank so it is injected for <iframe src=about:blank>, but the navigation happens too fast so the injected JavaScript doesn't have a chance to run.

I'll investigate if it's possible to ensure the JavaScript has run before injecting the meta tag.

Answer 4 · 2020-11-18T12:41:58.000Z

Actually forget what I said. It's quite the opposite. Chrome doesn't inject content scripts for <iframe src=javascript:> .The iframe, since is on the same origin, inherits the parent's CSP settings. Hence it doesn't have a default policy. I'm not sure if it's fixable but I'll keep investigating.