I am reading documentation in Chrome and CSP applications. However, the behavior that I see in the browser is not consistent with the documentation, and the documentation itself seems contradictory - in particular:
iframes that point to remote URLs that are disabled within Chrome Apps.
vs, on the same page:
Sandboxes can use iframes
Which apparently includes the remote iframes allowed by the manifest permissions.
My use case is pretty simple: I want to embed Spotify in my Chrome app, which usually runs with
<iframe src="https://embed.spotify.com/?uri=spotify:track:4bz7uB4edifWKJXSDxwHcs" width="300" height="380" frameborder="0" allowtransparency="true"></iframe>
My manifest.json
"app": {
"background": {
"scripts": ["js/background.js"]
}
},
"permissions": [
"https://embed.spotify.com/*"
],
"sandbox": {
"pages": ["sandbox.html"]
},
And my sandbox.html (which is in its own iframe on the background page):
<body>
<iframe src="https://embed.spotify.com/?uri=spotify:track:4bz7uB4edifWKJXSDxwHcs" width="300" height="380" frameborder="0" allowtransparency="true"></iframe>
</body>
However, I still get:
https://embed.spotify.com/?uri=spotify:track:4bz7uB4edifWKJXSDxwHcs ', " ": "frame-src" self: chrome-extension-resource: ". sandboxed.html: 2
. , -? .
iframe ? , ?