编程语言
首页 > 编程语言> > javascript – Chrome应用:从父窗口访问沙盒iframe

javascript – Chrome应用:从父窗口访问沙盒iframe

作者:互联网

我在谷歌Chrome应用程序中使用knockoutjs.为了能够使用knockout,我必须将真正的application.html定义为sandox页面并将其作为iframe包含在虚拟容器中.申请结构如下:

- container.html
|
+-- application.html as iframe 
   |
   +-knockout and application.js

iframe定义如下:

  <iframe src="application.html" frameborder="0"  
            sandbox="allow-same-origin allow-scripts" ></iframe>

运行

document.getElementsByTagName("iframe")[0]

在container.html上的检查工具中抛出以下错误.

Sandbox access violation: Blocked a frame at "chrome-extension://hllbklabnppjkmnngfanldbllljfeaia" 
from accessing a frame at "chrome-extension://hllbklabnppjkmnngfanldbllljfeaia".  
The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.

如何从父母那里访问iframed文档?

解决方法:

做这样的事情:

的manifest.json

  "sandbox": {
    "pages": ["my_ui.html"]
  }

my_ui.html

  <script type="text/javascript" src="knockout-1.2.3.4.js"></script>
  <script type="text/javascript" src="my_ui.js"></script>

my_ui.js

this.onSomethingChange = function() {
  window.top.postMessage(
    { command: 'please-do-something', myArgument: this.myArgument() }, '*');
};

container.html

  <script type="text/javascript" src="container.js"></script>
  <iframe id="knockoutFrame" src="my_ui.html"></iframe>

container.js

  window.addEventListener('message', function(event) {
    var kocw = document.getElementById('knockoutFrame').contentWindow;
    var anotherContentWindow = // etc.
    var dest;

    if (event.source == kocw) {
      // The knockout iframe sent us a message. So we'll forward it to our
      // app code.
      dest = anotherContentWindow;
    }
    if (event.source == anotherContentWindow) {
      // Our app code is responding to the knockout message (or initiating
      // a conversation with that iframe). Forward it to the knockout code.
      dest = kocw;
    }
    if (dest == null) {
      console.log('huh?');
    }

    // This makes container.js like a gatekeeper, bouncing valid messages between
    // the sandboxed page and the other page in your app. You should do
    // better validation here, making sure the command is real, the source
    // is as expected for the kind of command, etc.
    dest.postMessage(event.data, '*');
  }

您的声明“我必须将真正的application.html定义为沙箱页面并将其作为iframe包含在虚拟容器中”可能不是您想要的.我们的想法是将最小的东西沙箱,消息发送到验证消息的网守页面,并让网守将窄消息转发给非沙盒应用程序逻辑.如果你只是把所有东西塞进沙盒中,你就会破坏沙盒的用途.

免责声明:从安全角度来看,我没有仔细检查过这段代码.您可能希望假设恶意消息来自沙箱(或来自其他地方,就此而言),并尽力解决该威胁.

标签:javascript,google-chrome,iframe,sandbox,google-chrome-app
来源: https://codeday.me/bug/20190629/1327542.html