Description of the issue:
If an installed extension injects an iframe to any of its own views (.html files), then the iframe will be blocked by the Brave shield and not visible.
Iframes that show extension views should not be blocked by default.
Note: This does not affect unpacked extensions in developer mode, but affects all packed extensions from any sources, even with developer mode enabled.
How can this issue be reproduced?
Small code sample for easy reproduction:
manifest.json
{
"name": "Brave shield bug repro",
"description": "Brave shield bug repro",
"manifest_version": 3,
"version": "0.0.0.1",
"permissions": [],
"host_permissions": [
"https://community.brave.com/*"
],
"web_accessible_resources": [
{
"resources": [
"view.html"
],
"matches": [
"https://community.brave.com/*"
]
}
],
"content_scripts": [
{
"matches": [
"https://community.brave.com/*"
],
"js": [
"inject-iframe.js"
]
}
]
}
view.html
<!DOCTYPE html>
<html>
<body>
This should be visible.
</body>
</html>
inject-iframe.js
const iframe = document.createElement('iframe');
iframe.src = chrome.runtime.getURL('view.html');
document.body.insertBefore(iframe, document.body.firstChild);
- Create the 3 files with the names and contents as shown above and put them in the same directory.
- Enable developer mode, click
pack extensionand select the directory. - Drag the resulting .crx into Brave to install the extension.
- Visit https://community.brave.com/
Expected result:
The iframe is visible at the top of the page.
Actual result
The iframe is blocked by the Brave shield.
Brave Version( check About Brave):
1.46.133, but probably affects all versions
Additional Information:
code samples above