docs: add cross-origin iframe guidance (CDP WebSocket path) to forge references#15
Open
Wadehl wants to merge 1 commit into
Open
docs: add cross-origin iframe guidance (CDP WebSocket path) to forge references#15Wadehl wants to merge 1 commit into
Wadehl wants to merge 1 commit into
Conversation
…references When target data is inside a cross-origin iframe, browser-act's eval is blocked by the browser's same-origin policy. This commit documents the verified fallback: connect directly to the iframe's CDP WebSocket target, bypassing cross-origin enforcement at the protocol level. Changes: - exploration_extraction.md: add "Cross-Origin iframe" section after DOM Extraction, covering browser-act capability boundary (state/click ok, eval blocked), CDP WebSocket direct-connect pattern with Python code examples, and decision rule for when to use state+click vs CDP - output_template.md: add "CDP Direct" component type with SKILL.md template block, CDP-specific Python wrapper template (connects to CDP and prints result directly, no eval wrapping), and extend Filling Specification #17 to include the new label
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Background
During real-world use of browser-act-skill-forge, a gap was encountered: when the target data is rendered inside a cross-origin iframe, the forge references provided no guidance. The
evalcommand is blocked by the browser's same-origin policy, and without a documented fallback, exploration stalls with no clear next step.Root Cause
The exploration and output references only cover same-origin scenarios. Cross-origin iframes create a hard split in browser-act's command set:
stateandclickwork — OS-level accessibility, not subject to same-origin policyevalis blocked at the JS layerThis split was not documented, leaving the forge without a defined path for this case.
Verified Solution
Chrome DevTools Protocol (CDP) exposes every frame — including cross-origin iframes — as an independent debugging target listed at
http://localhost:9222/json. By connecting directly to the iframe'swebSocketDebuggerUrlvia the Pythonwebsocketslibrary, arbitrary JS can be executed inside the iframe without touching the browser's same-origin enforcement. This was validated end-to-end: virtual scroll triggering, DOM querying, and structured data extraction all work through this path.Changes
references/exploration_extraction.mdstate/clickok,evalblocked)state+clickwhen the a11y tree is sufficient; use CDP when JS execution inside the iframe is required.pyfiles and labeledCDP Directin the generated Skillreferences/output_template.mdCDP Directas a new named component type under Capability Componentseval "$(...)"wrapping)CDP Directlabel appliesDesign Rationale
The CDP path is Python-native: the WebSocket connection must live in Python, so the script cannot follow the standard "print JS string → eval" contract. Making this a distinct labeled type prevents misuse and keeps the
eval "$(...)"wrapper convention unambiguous for all other component types.