Firefox WebExtension - How to obtain and modify content of cross domain iframe

Question

I would like to know how to access and modify the contents of a cross domain iframe in JavaScript within a Firefox WebExtension. I understand the limitations of normal JavaScript and that modifying a cross domain iframe would be an XSS vulnerability, but I believe there is some way to do it in a WebExtension that I cannot find. I believe this because the legacy extension manifests had options for allowing cross domain content in the permissions section.

When viewing old code for the legacy versions of FireFox extensions, there seems to be options for cross domain content for certain websites in the fashion below. Although for the new FireFox WebExtension, this is not a feature listed in the documentation.

"cross-domain-content": ["https://www.example.com"]

Here is my manifest.json file.

{
  "manifest_version": 2,
  "name": "Test Extension",
  "version": "1.0",
  "content_scripts": [
    {
      "matches": ["*://*/*"],
      "all_frames": true,
      "js": [
        "js/main.js"
      ]
    }
  ],
  "permissions": [
    "*://*/*",
    "<all_urls>",
  ]
}

Here is my main.js file.

// Code is being run within an iframe ("all_frames": true)
if (window != window.top) {
  // Attempt to log the source of the parent iframe
  // If cross domain, met throws - Error: Permission denied to access property "frameElement"
  console.log(window.parent.frameElement.src);
}

As you can see in the main.js file, when attempting to print the source for the parent iframe an error is thrown as below.

Error: Permission denied to access property "frameElement"

I want to know how it would be possible to allow a FireFox WebExtension to access and modify the contents of a cross domain iframe. I'm not sure if it is a problem of not putting down the right permission in the manifest, or that I have to use the WebExtension API or something, I just can't find anything on this.

Additionally, if anyone could refer or provide me some examples of modifying the contents of an iframe in this fashion, it would be much appreciated.

Answer 1

Directly accessing cross-domain content is not possible

Directly accessing cross-domain content is not, or at least should not, be possible. While there may be a way around this restriction (I have not looked exhaustively), it would not be intentional and would be considered a bug.

Unlike other types of Firefox extensions, WebExtensions are granted permissions to access content on, at most, a domain by domain basis. This is regardless of you specifying "<all_urls>", or "*://*/*" in your manifest.json permissions. Specifying multiple domain permissions does not open up access to cross-domain content. Opening up access to cross-domain content would be a more complex problem, which would, potentially, have its own set of security related bugs. As a result, specifying multiple domains in your permissions just permits you to inject scripts/CSS into multiple matching URLs, without special access to cross-domain content. Thus, there should not be a way to directly access content in, or from, a cross-domain iframe.

Cross-domain content must be accessed with a script injected in that frame

If you want to access that cross-domain content, you must inject a script in the iframe, or top level window, which you desire to access. As mentioned, your ability to inject such scripts/CSS is one of the things controlled by permissions. You can then use message passing (either from/to the content scripts in the top frame/child frame, or relayed through a background script) to communicate between the scripts you have injected in the cross-domain frames.

Given that you are already injecting scripts into <all_urls>, and all_frames, you will just need to implement one of the methods of communicating between them mentioned above. You will then need to request the information you need from the other script, or pass the information to the other script for processing.