Opened on 10/05/2016 at 06:25:05 PM
Closed on 05/31/2017 at 11:07:16 AM
Last modified on 07/07/2017 at 01:22:34 PM
#4494 closed defect (fixed)
Error message on pages with sandboxed iFrame
| Reported by: | greiner | Assignee: | kzar |
|---|---|---|---|
| Priority: | Unknown | Milestone: | Adblock-Plus-1.13.3-for-Chrome-Opera |
| Module: | Platform | Keywords: | |
| Cc: | sebastian, kzar | Blocked By: | |
| Blocking: | Platform: | Unknown / Cross platform | |
| Ready: | no | Confidential: | no |
| Tester: | Ross | Verified working: | yes |
| Review URL(s): | |||
Description
Environment
Ubuntu 16.04
Chrome 53.0.2785.116
Adblock Plus 1.12.2.1662
How to reproduce
- Go to http://jsfiddle.net/cburgmer/E8fb2/13/
- Observe page's JavaScript console output.
Observed behaviour
The following error message is shown:
Blocked script execution in 'about:blank' because the document's frame is sandboxed and the 'allow-scripts' permission is not set. runInPageContext @ include.preload.js:344
Expected behaviour
No error message is shown.
Attachments (1)
Change History (15)
comment:1 Changed on 10/05/2016 at 08:40:37 PM by sebastian
- Cc kzar added
Changed on 10/05/2016 at 09:57:15 PM by mapx
comment:2 Changed on 10/05/2016 at 09:57:43 PM by mapx
I got the same console error, see the attached image
error at row 344 in preload.js
my chrome: Version 54.0.2840.41 beta-m (64-bit)
last dev build of ABP.
comment:3 Changed on 10/06/2016 at 11:05:53 AM by sebastian
- Owner set to sebastian
comment:4 Changed on 10/06/2016 at 11:36:40 AM by sebastian
- Owner sebastian deleted
For some reasons, I still cannot reproduce it on JSFiddle. But I was able to reproduce it, using <iframe sandbox>, on a simple test page, I created.
However, I couldn't find a way to get rid of that error message. Since it's technically not an exception, it cannot be catched. Neither seems it be possible to detect whether we run in a sandboxed frame that doesn't allow scripts to run, in order to not inject the script in the first place. We cannot access the frameElement (unless allow-same-origin is enabled). However, just because the frameElement cannot be accessed, doesn't necessarily mean that we run in a sandboxed frame that disallows scripts.
For reference, we inject scripts that way in order to patch the WebSocket API (#1727) and to protect our shadow root (#4191).
comment:5 Changed on 10/17/2016 at 03:09:41 PM by cgarnier
Got the same issue using a js library.
https://github.com/cburgmer/rasterizeHTML.js
It create an hidden iframe for doing some process and the exception appears.
It s boring because even by disable adblock on the page, it throw.
Edit: pointless, it the same issue as the how to reproduce.
comment:6 Changed on 05/30/2017 at 09:24:30 AM by kzar
- Review URL(s) modified (diff)
- Status changed from new to reviewing
comment:7 Changed on 05/30/2017 at 09:24:42 AM by kzar
- Owner set to kzar
comment:8 Changed on 05/31/2017 at 11:02:53 AM by abpbot
A commit referencing this issue has landed:
Issue 4494 - Avoid causing some sandbox related warnings
comment:9 follow-up: ↓ 10 Changed on 05/31/2017 at 11:07:16 AM by kzar
- Milestone set to Adblock-Plus-for-Chrome-Opera-next
- Resolution set to fixed
- Status changed from reviewing to closed
(As close to fixed as we're going to get anyway.)
comment:10 in reply to: ↑ 9 Changed on 06/23/2017 at 01:07:58 PM by Ross
Replying to kzar:
(As close to fixed as we're going to get anyway.)
In Chrome, the only warning remaining is about some advert json.
In Opera, there are still two warnings about blocked execution, but these are related to rasterizeHTMl.
In Safari, the warnings about runInPageContext, include.preload.js still occur.
Was this fix just for the error about our preload.js script and just in Chrome?
ABP 1.12.4.1753
Chrome 53 / 56 / Windows 7
Opera 45 / Windows 7
Safari 9.0 / OS X 10.11
comment:11 Changed on 06/23/2017 at 01:38:03 PM by kzar
This change is not related to Safari since we build the Safari extension from a separate (much older) version of the code these days. Could you confirm if the Chrome / Opera warnings you observed are still present when Adblock Plus isn't installed?
comment:12 Changed on 06/27/2017 at 08:47:57 AM by Ross
The warnings are not present when Adblock Plus is not installed. They then appear after installing ABP and reloading the JSFiddle.
ABP 1.13.2.1785
Chrome 49 / Windows 7
Opera 39 / Windows 7
comment:13 Changed on 06/27/2017 at 10:22:09 AM by kzar
So unless I'm mistaken the warnings you're seeing in Chrome are due to the fact that Adblock Plus blocked a couple of requests. This issue is only about the sandboxed frame warnings:
include.preload.js:874 Blocked script execution in 'about:blank' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
To confirm if the fix for this issue worked try installing the version just before 1.13.2.1777, check if the above warning shows up for the JSFiddle page, then try installing the latest version and check the warning doesn't show up any more.
Note: The fix aims only to reduce the occurrences of that warning, we couldn't figure out a foolproof solution and so we expect it to occasionally show up on some webpages. Also to reiterate the fix does not aim to reduce any other warnings, such as net::ERR_BLOCKED_BY_CLIENT ones.
comment:14 Changed on 07/07/2017 at 01:22:34 PM by Ross
- Tester changed from Unknown to Ross
- Verified working set
Fixed.
ABP 1.13.2.1785
Chrome 49 / 59 / Windows 7
Operar 36 / 45 / Windows 7
I briefly tried to reproduce it in Chrome 47 and Chrome 54 beta, and I did not see this warning in the JavaScript console. Except for a warning indicating a blocked XHR, which is expected, there are no warnings I get with Adblock Plus installed, but not without.