firebase-js-sdk icon indicating copy to clipboard operation
firebase-js-sdk copied to clipboard
verified publisher icon firebase

iframe tag missing allow-same-origin, prevents loading SDK in iframe

Open kevmo314 opened this issue 4 years ago • 3 comments

[REQUIRED] Describe your environment

  • Operating System version: Windows 10
  • Browser version: Edge 90.0.818.51
  • Firebase SDK version: 8.2.1
  • Firebase Product: database

[REQUIRED] Describe the problem

iframing a cross-domain page that invokes the firebase js sdk seems to result in an error.

BrowserPollConnection.ts:503 Sandbox access violation: Blocked a frame at "https://overlays.rtirl.com" from accessing a frame at "null".  Both frames are sandboxed and lack the "allow-same-origin" flag.
BrowserPollConnection.ts:518 Uncaught DOMException: Blocked a frame with origin "null" from accessing a cross-origin frame.
    at Function.ji.createIFrame_ (https://overlays.rtirl.com/__/firebase/8.2.9/firebase-database.js:1:110223)
    at new ji (https://overlays.rtirl.com/__/firebase/8.2.9/firebase-database.js:1:112331)
    at n (https://overlays.rtirl.com/__/firebase/8.2.9/firebase-database.js:1:105983)
    at Qi.open (https://overlays.rtirl.com/__/firebase/8.2.9/firebase-database.js:1:107180)
    at https://overlays.rtirl.com/__/firebase/8.2.9/firebase-database.js:1:117875

The relevant failure line is here: https://github.com/firebase/firebase-js-sdk/blob/master/packages/database/src/realtime/BrowserPollConnection.ts#L500

Steps to reproduce:

Domain foo.com:

<iframe sandbox="allow-same-origin allow-scripts allow-popups allow-forms" src="bar.com"></iframe>

Domain bar.com:

<script src="... firebase js sdk ..."></script>
<script>
firebase.initializeApp(...);
firebase.database()...
</script>

Should result in the above exception.

If I understand same-origin policies correctly, I believe the sdk just needs to add the sandbox="allow-same-origin" attr to the created iframe element?

kevmo314 avatar May 09 '21 14:05 kevmo314

Hi @kevmo314, thanks for the report and apologies for the delay in response. I was able to replicate this issue using the latest SDK version 8.6.2.

Per this similar issue filed before, it's working as expected. Let me check and update this thread for the explanation as to why, or bring someone here.

looptheloop88 avatar May 26 '21 16:05 looptheloop88

I see, thanks for the link. An explanation or documentation would definitely be appreciated. At the very least if it's WAI, a better error message so others don't waste time debugging. :)

kevmo314 avatar May 26 '21 16:05 kevmo314

Any update on this? We are also facing this with an iframe which is sandboxed to disallow allow-same-origin. The workaround in https://github.com/firebase/firebase-js-sdk/issues/123 relies on forcing websockets but some firewalls block them.

b-smets avatar Feb 10 '22 11:02 b-smets