Search code examples
google-apps-scriptiframegoogle-workspace-add-onshttp-permissions-policy

How do I enable Feature/Permissions Policy in an iframe in Google Add-ons?

I am trying use a feature policy, serial, in my google add-on. I am having difficulty trying to enable this particular feature policy inside an iframe, mainly I believe is because the parent iframes don't have it enabled. Below is what the iframe DOM tree looks like. I don't have access to "sandboxFrame" and "userHtmlFrame" directly, so I cannot change its allowed features. Even if I set 'serial' in the most child iframe, I cannot find the 'serial' feature enabled in its featurePolicy.

<iframe id="sandboxFrame" allow="accelerometer *; ambient-light-sensor *; autoplay *; camera *; clipboard-read *; clipboard-write *; encrypted-media *; fullscreen *; geolocation *; gyroscope *; magnetometer *; microphone *; midi *; payment *; picture-in-picture *; screen-wake-lock *; speaker *; sync-xhr *; usb *; web-share *; vibrate *; vr *" sandbox="allow-downloads allow-forms allow-modals allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts" src="https://...-script.googleusercontent.com/...">
    <iframe id="userHtmlFrame" allow="accelerometer *; ambient-light-sensor *; autoplay 
    *; camera *; clipboard-read *; clipboard-write *; encrypted-media *; fullscreen *; 
    geolocation *; gyroscope *; magnetometer *; microphone *; midi *; payment *; picture- 
    in-picture *; screen-wake-lock *; speaker *; sync-xhr *; usb *; web-share *; vibrate 
    *; vr *" src="/blank" title="">
       <iframe id="myIframe" allow="serial *;" sandbox="allow-forms allow-modals allow-popups allow-presentation allow-same-origin allow-scripts" src="...external website in          
          GitHub Pages">
       ...
       </iframe>
    </iframe>
</iframe>

If anyone acquainted with google add-ons can prove me wrong about anything that would be great. I would appreciate any kind of help.

Thank you.

Solution
    1. Yes, you can pass any permission into nested iframe only if parent context has that permission granted.
      Keep in mind that when passing permissions the origin will be changed accordingly, i.e:

    <iframe scr='https://example.com' allow="fullscreen 'self'">
    // the permission for fullscreen is 'self' (== http://example.com)
    // but main thing is this is that iframe HAS that permission, therefore
    // it can grant it to any nested context with ANY origin:
    <iframe src='https://www.youtube.com' allow="fullscreen https://www.youtube.com">
    // will get permission of fullscreen mode for https://www.youtube.com origin
    </iframe>
    </iframe>

    1. In the parent iframe the serial Feature Policy directive is not specified in the allow='...' attribute. That means this feature is allowed with the default value - 'src'. Therefore parent iframe has implicitly permission for serial, so it can pass it into any nested iframe.

    2. I hear nothing about the serial Feature Policy directive, is it supported?