我正在尝试在我的谷歌插件中使用功能策略,串行。我很难尝试在 iframe 中启用此特定功能策略,主要是因为父 iframe 没有启用它。下面是 iframe DOM 树的样子。我无法直接访问"sandboxFrame"和"userHtmlFrame",因此无法更改其允许的功能。即使我在大多数子iframe中设置了"串行",我也找不到在其功能Policy中启用的"串行"功能。
<iframe id="sandboxFrame" allow="accelerometer *; ambient-light-sensor *; autoplay *; camera *; clipboard-read *; clipboard-write *; encrypted-media *; fullscreen *; geolocation *; gyroscope *; magnetometer *; microphone *; midi *; payment *; picture-in-picture *; screen-wake-lock *; speaker *; sync-xhr *; usb *; web-share *; vibrate *; vr *" sandbox="allow-downloads allow-forms allow-modals allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts" src="https://...-script.googleusercontent.com/...">
<iframe id="userHtmlFrame" allow="accelerometer *; ambient-light-sensor *; autoplay
*; camera *; clipboard-read *; clipboard-write *; encrypted-media *; fullscreen *;
geolocation *; gyroscope *; magnetometer *; microphone *; midi *; payment *; picture-
in-picture *; screen-wake-lock *; speaker *; sync-xhr *; usb *; web-share *; vibrate
*; vr *" src="/blank" title="">
<iframe id="myIframe" allow="serial *;" sandbox="allow-forms allow-modals allow-popups allow-presentation allow-same-origin allow-scripts" src="...external website in
GitHub Pages">
...
</iframe>
</iframe>
</iframe>
如果任何熟悉谷歌附加组件的人可以证明我对任何事情都是错误的,那将是伟大的。我将不胜感激任何形式的帮助。
谢谢。
- 是的,仅当父上下文授予了该权限时,您才能将任何权限传递到嵌套 iframe 中。
请记住,在传递权限时,源将相应地更改,即:
<iframe scr='https://example.com' allow="fullscreen 'self'">// the permission for fullscreen is 'self' (== http://example.com)// but main thing is this is that iframe HAS that permission, therefore// it can grant it to any nested context with ANY origin:<iframe src='https://www.youtube.com' allow="fullscreen https://www.youtube.com">// will get permission of fullscreen mode for https://www.youtube.com origin</iframe></iframe>
- 在
父 iframe 中,
serial功能策略指令未在allow='...'属性中指定。这意味着允许使用默认值 -'src'使用此功能。因此父 iframe 对serial具有隐式权限,因此它可以将其传递到任何嵌套的 iframe 中。我没有听到有关
serial功能策略指令的任何消息,它是否受支持?