Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iframe tag missing allow-same-origin, prevents loading SDK in iframe #4883

Open
kevmo314 opened this issue May 9, 2021 · 3 comments
Open

iframe tag missing allow-same-origin, prevents loading SDK in iframe #4883

kevmo314 opened this issue May 9, 2021 · 3 comments
Labels
api: database bug

Comments

@kevmo314
Copy link

kevmo314 commented May 9, 2021

[REQUIRED] Describe your environment

  • Operating System version: Windows 10
  • Browser version: Edge 90.0.818.51
  • Firebase SDK version: 8.2.1
  • Firebase Product: database

[REQUIRED] Describe the problem

iframing a cross-domain page that invokes the firebase js sdk seems to result in an error.

BrowserPollConnection.ts:503 Sandbox access violation: Blocked a frame at "https://overlays.rtirl.com" from accessing a frame at "null".  Both frames are sandboxed and lack the "allow-same-origin" flag.
BrowserPollConnection.ts:518 Uncaught DOMException: Blocked a frame with origin "null" from accessing a cross-origin frame.
    at Function.ji.createIFrame_ (https://overlays.rtirl.com/__/firebase/8.2.9/firebase-database.js:1:110223)
    at new ji (https://overlays.rtirl.com/__/firebase/8.2.9/firebase-database.js:1:112331)
    at n (https://overlays.rtirl.com/__/firebase/8.2.9/firebase-database.js:1:105983)
    at Qi.open (https://overlays.rtirl.com/__/firebase/8.2.9/firebase-database.js:1:107180)
    at https://overlays.rtirl.com/__/firebase/8.2.9/firebase-database.js:1:117875

The relevant failure line is here: https://github.com/firebase/firebase-js-sdk/blob/master/packages/database/src/realtime/BrowserPollConnection.ts#L500

Steps to reproduce:

Domain foo.com:

<iframe sandbox="allow-same-origin allow-scripts allow-popups allow-forms" src="bar.com"></iframe>

Domain bar.com:

<script src="... firebase js sdk ..."></script>
<script>
firebase.initializeApp(...);
firebase.database()...
</script>

Should result in the above exception.

If I understand same-origin policies correctly, I believe the sdk just needs to add the sandbox="allow-same-origin" attr to the created iframe element?
@looptheloop88
Copy link

Hi @kevmo314, thanks for the report and apologies for the delay in response. I was able to replicate this issue using the latest SDK version 8.6.2.

Per this similar issue filed before, it's working as expected. Let me check and update this thread for the explanation as to why, or bring someone here.

@kevmo314
Copy link
Author

I see, thanks for the link. An explanation or documentation would definitely be appreciated. At the very least if it's WAI, a better error message so others don't waste time debugging. :)

@b-smets
Copy link

b-smets commented Feb 10, 2022

Any update on this? We are also facing this with an iframe which is sandboxed to disallow allow-same-origin.
The workaround in #123 relies on forcing websockets but some firewalls block them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api: database bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@kevmo314 @b-smets @Feiyang1 @hsubox76 @google-oss-bot @looptheloop88