Comment #5 on issue 30442 by vigacmoe: Extension content scripts can get
out of the sandbox via window.top
http://code.google.com/p/chromium/issues/detail?id=30442
I did a simple test on the latest dev channel release (4.0.288.1 dev), it
seems that window.top is simply set to 'undefined' for
content scripts resides in <iframe>s, right?
I think this is inconsistent because content scripts share the same DOM
with the in-page JavaScript, they should have access to
parent frame's DOM, as long as the parent frame and the child frame are in
the same domain. This is also how the document states:
"They (content scripts) have access to the DOM of the page they are
injected into, but not to any JavaScript variables or functions
created by the page."
Set window.top to 'undefined' also makes it very inconvenient for content
scripts to communicate between frames, the only way left is
passing messages through background pages.
What should be removed from window.top, in my opinion, are JavaScript
variables and functions created by the page, not everything,
the JavaScript objects created by parent frame's content scripts should
also be visible to child frame's content scripts.
Please reconsider the solution. Thank you.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs