oidc-client-js icon indicating copy to clipboard operation
oidc-client-js copied to clipboard

Published 20 hours ago verified publisher icon IdentityModel

Failed to execute 'postMessage' on 'DOMWindow'

Open msschl opened this issue 5 years ago • 10 comments

On our IdentityServer I serve a restricted csp header:

default-src 'none'; frame-ancestors 'none'; style-src 'self'; img-src 'self'; script-src 'self'

When authenticating my spa app I first try to see if I can authenticate the user silently. This happens when the user is already logged in on the IdP and is done using a hidden iframe on the client. After that I use a a traditional redirect flow. Authentication currently works only with the traditional flow, since I serve that restricted CSP. So at first there is nothing wrong here. But looking in the console reveals this error message Failed to execute 'postMessage' on 'DOMWindow. The error is correct. But it seems like the oidc-client library is stuck in some loop since this message keeps increasing.

image

I think this might be a bug in the library.

msschl avatar Dec 02 '19 21:12 msschl

Sorry, did you ever sort this out?

brockallen avatar Jul 21 '20 21:07 brockallen

Yes and no. The problem we had was regarding the restricted CSP. This is sorted out.

This issue is about the oicd-client-js library continuously spamming the same error message in the console as long as the window is open. Is there any retry logic build in the library? Or might the library be stuck in a loop?

msschl avatar Jul 21 '20 22:07 msschl

Hmm, but that's the browser spamming the error message, right? Based on something the app is doing (not the library), no?

brockallen avatar Jul 21 '20 23:07 brockallen

Yes it’s the browser. But I think this is because although the iframe failed to load it still gets added to the body of the document. Thus the browser keeps retrying to load the iframe. Maybe a check whether the I frame was loaded successfully or not, before adding it to the documents body might help?

msschl avatar Jul 22 '20 07:07 msschl

I think your CSP needs to accommodate what you want to do with this iframe. IOW, if you want to support it, update the CSP to allow it (dynamically). Or don't trigger the iframe from the client (there are options to not trigger the behavior). The UserManager does 2 diff iframes depending on what you want: session monitor or silent login. So if you''re preventing them, then don't trigger them in the first place.

brockallen avatar Jul 22 '20 13:07 brockallen

CSPs are hard 😃 Sometimes it can happen that a CSP is to restrictive. In our case, our CSP was to restrictive, although it was not attended to be so restrictive for iframes. We adjusted our CSP and everything works as expected.

Nevertheless, I thing although a CSP is to restrictive, it should not result in the browser continuously spamming error messages in the console. Therefore, I would propose a check whether the iframe was loaded successfully or not, before adding it to the documents body.

msschl avatar Jul 24 '20 08:07 msschl

The problem is that the iframe doesn't run unless it's part of the body, so I don't think I can do what you ask.

brockallen avatar Jul 24 '20 12:07 brockallen

What about removing the iframe from the body after a certain timeout when it failed to load?

msschl avatar Jul 24 '20 12:07 msschl

I can see if there's something I can do.

brockallen avatar Jul 24 '20 12:07 brockallen

I think I had same problem before. Please configure your IDP (Keycloak) to support the port of you Application. The IDP will block loading iframe if you don't configure it. In Keycloak I configured in Security Defense tab of Realm Setting.

deanmaster avatar Jul 27 '20 06:07 deanmaster