[bug] This document requires 'TrustedScript' assignment.

[root0x0]

when you browser some websites. which contains an iframe dynamically loaded by javascript. It will throw an error This document requires 'TrustedScript' assignment.

[filedescriptor]

What URL does the iframe load? It doesn't work with data: but should be fine with any other.

[root0x0]

I think is javascript:

[filedescriptor]

I was able to reproduce the behavior described. The sequence of loading a javascript: URL in an iframe is like this:

1. <iframe src=about:blank>
2. Navigates it to the javascript: URL

The content script of Untrusted Types is configured with match_about_blank so it is injected for <iframe src=about:blank>, but the navigation happens too fast so the injected JavaScript doesn't have a chance to run.

I'll investigate if it's possible to ensure the JavaScript has run before injecting the meta tag.

[filedescriptor]

Actually forget what I said. It's quite the opposite. Chrome doesn't inject content scripts for <iframe src=javascript:> .The iframe, since is on the same origin, inherits the parent's CSP settings. Hence it doesn't have a default policy. I'm not sure if it's fixable but I'll keep investigating.