javascript – Chrome应用:从父窗口访问沙盒iframe
作者:互联网
我在谷歌Chrome应用程序中使用knockoutjs.为了能够使用knockout,我必须将真正的application.html定义为sandox页面并将其作为iframe包含在虚拟容器中.申请结构如下:
- container.html
|
+-- application.html as iframe
|
+-knockout and application.js
iframe定义如下:
<iframe src="application.html" frameborder="0"
sandbox="allow-same-origin allow-scripts" ></iframe>
运行
document.getElementsByTagName("iframe")[0]
在container.html上的检查工具中抛出以下错误.
Sandbox access violation: Blocked a frame at "chrome-extension://hllbklabnppjkmnngfanldbllljfeaia"
from accessing a frame at "chrome-extension://hllbklabnppjkmnngfanldbllljfeaia".
The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.
如何从父母那里访问iframed文档?
解决方法:
做这样的事情:
的manifest.json
"sandbox": {
"pages": ["my_ui.html"]
}
my_ui.html
<script type="text/javascript" src="knockout-1.2.3.4.js"></script>
<script type="text/javascript" src="my_ui.js"></script>
my_ui.js
this.onSomethingChange = function() {
window.top.postMessage(
{ command: 'please-do-something', myArgument: this.myArgument() }, '*');
};
container.html
<script type="text/javascript" src="container.js"></script>
<iframe id="knockoutFrame" src="my_ui.html"></iframe>
container.js
window.addEventListener('message', function(event) {
var kocw = document.getElementById('knockoutFrame').contentWindow;
var anotherContentWindow = // etc.
var dest;
if (event.source == kocw) {
// The knockout iframe sent us a message. So we'll forward it to our
// app code.
dest = anotherContentWindow;
}
if (event.source == anotherContentWindow) {
// Our app code is responding to the knockout message (or initiating
// a conversation with that iframe). Forward it to the knockout code.
dest = kocw;
}
if (dest == null) {
console.log('huh?');
}
// This makes container.js like a gatekeeper, bouncing valid messages between
// the sandboxed page and the other page in your app. You should do
// better validation here, making sure the command is real, the source
// is as expected for the kind of command, etc.
dest.postMessage(event.data, '*');
}
您的声明“我必须将真正的application.html定义为沙箱页面并将其作为iframe包含在虚拟容器中”可能不是您想要的.我们的想法是将最小的东西沙箱,消息发送到验证消息的网守页面,并让网守将窄消息转发给非沙盒应用程序逻辑.如果你只是把所有东西塞进沙盒中,你就会破坏沙盒的用途.
免责声明:从安全角度来看,我没有仔细检查过这段代码.您可能希望假设恶意消息来自沙箱(或来自其他地方,就此而言),并尽力解决该威胁.
标签:javascript,google-chrome,iframe,sandbox,google-chrome-app 来源: https://codeday.me/bug/20190629/1327542.html