filedescriptor/untrusted-types

[bug] This document requires 'TrustedScript' assignment.

root0x0 opened this issue · 4 comments

when you browser some websites. which contains an iframe dynamically loaded by javascript. It will throw an error This document requires 'TrustedScript' assignment.

What URL does the iframe load? It doesn't work with data: but should be fine with any other.

I think is javascript:
屏幕快照 2020-11-18 下午7 51 00

I was able to reproduce the behavior described. The sequence of loading a javascript: URL in an iframe is like this:

  1. <iframe src=about:blank>
  2. Navigates it to the javascript: URL

The content script of Untrusted Types is configured with match_about_blank so it is injected for <iframe src=about:blank>, but the navigation happens too fast so the injected JavaScript doesn't have a chance to run.

I'll investigate if it's possible to ensure the JavaScript has run before injecting the meta tag.

Actually forget what I said. It's quite the opposite. Chrome doesn't inject content scripts for <iframe src=javascript:> .The iframe, since is on the same origin, inherits the parent's CSP settings. Hence it doesn't have a default policy. I'm not sure if it's fixable but I'll keep investigating.