Is the ability to access parent DOM from iframe (i.e. plugin views) a feature or a bug?

As the title states.

I would consider it a security vulnerability, although if it's an intended feature it would be useful for the plugin I'm developing, since it gives me a lot more freedom on the UI (allowing me to show non-modal dialogs on one corner of the app, showing notification toasts, etc.).

If you mean from a content script then it's normal as these purposely have a lower level access, for performance purposes. However you shouldn't rely on it as there's a good chance it will break sooner or later. Basically if it's not documented it's not supported and can break.

Actually I haven't tested with content scripts. I only tested with webview scripts.

Anyway, I would like to ask whether it's possible to create DOM elements outside the plugin views, or whether it's possible create floating panels.

You can create modal dialogs but not sure that's what you want. What use case do you have in mind?

My plugin needs to run some potentially long-running operation. I would like to show the running status on a toast/snackbar. Maybe even a floating panel at one corner of the app where I can show the details about the long-running operation.

Something like

In all this I don't want to prevent the user from working on theirs notes, so a modal dialog doesn't fit my use case.

1 Like