"activeTab" permission does not include iframes in current tab?

Add-ons Development
#1

I just came upon the fact that this code does not work. I tried to inject this kind of content script here:

 browser.tabs.executeScript({
    code: 'document.body.style.border = "5px solid red";',
    allFrames: true
 });

(I used this site as a demo here)

This is of course a demo, I actually want to get the selection from the current tab, but it illustrates the problem in a more visual way. :wink:

So what happens is this:

w3schools only shows red border on top of main site. bottom part with some iframes ibncluded does not show it
grafik.png1026×378 36.6 KB

Funny thing is – when it does not work at all (because you have no permission) Firefox 60/61 displays this error:

Error: Missing host permission for the tab, and any iframes

When you, however, just fail to acquire some permissions (for iframes, as it seems) it does not display such an error, but just falls back to only the top-level site.
From a development point of view this may also not the optimal behaviour. (argh… debugging)

Talking about debugging… I think the MDN docs may need some adjustment, too. They do not explicitly mention that you need separate permissions for the iframes… I mean, in my case – when I think you get them, at least.

Finally, I think the behaviour is odd. The iframes of the current tab are still the in the “current tab” – are not they? So should not they also be covered by the permission?
And no, I don’t want to request permission for all sites when I can keep it restricted to the current tab only – less permissions are always good.

So, IMHO; you should change that behaviour. If needed, maybe make a new permission “activeTabWithIframes” or so… In nay case I think many add-ons, which want to access the current tab, also want to access any iframe in it. And many of these still don’t need access to any other tab.

Some use cases for add-ons:

  • getting the currently selected text -> should work on whole page (user does not actually see a difference for iframe or not iframe)
  • modifying DOM/visual appearance or so may also often work on whole tab
  • generally things that work on the active tab should work on the whole page, i…e iframes. They are technically also “active” (i.e. shown) when the user e.g. executes the browser action. And users don’t even know whether there is an iframe or whether the content is embedded via a div or so…

Also:

  • in the w3schools example the iframes are actually in the same origin (domain name) as the main tab. So well… this should be at least covered by activeTab, should not it?
  • AFAIK the restriction may not even be useful from a security point of view – at least not from a integrity point – as content scripts could remove the iframe node, and re-ad their own (“malicious”) one. It may help as for confidentially though…
1 Like