sentry-javascript icon indicating copy to clipboard operation
sentry-javascript copied to clipboard
verified publisher icon getsentry

Replay causes error `Blocked a frame with origin <hostname> from accessing a frame with origin "https://js.stripe.com"` in Safari when Stripe payment form is on the page

Open jakst opened this issue 1 year ago • 9 comments

Is there an existing issue for this?

  • [x] I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
  • [x] I have reviewed the documentation https://docs.sentry.io/
  • [x] I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

How do you use Sentry?

Sentry Saas (sentry.io)

Which SDK are you using?

@sentry/browser

SDK Version

8.22.0

Framework Version

No response

Link to Sentry event

No response

Reproduction Example/SDK Setup

Sentry.init({
  dsn: "https://[email protected]/0",
  replaysSessionSampleRate: 1,
  integrations: [
    Sentry.replayIntegration({
      block: ["iframe"],
    }),
  ],
})

Steps to Reproduce

A minimal reproduction repro with a deployed example is available at https://github.com/jakst/sentry-replay-stripe. Basically running the Sentry Replay integration when a Stripe form is rendered causes this error Blocked a frame with origin "https://sentry-replay-stripe.vercel.app" from accessing a frame with origin "https://js.stripe.com".

I was following along in https://github.com/getsentry/sentry-javascript/issues/6560 and though the issue was resolved, but even though I have confirmed the claimed fix is present in our version of the SDK, we still get this error with the stripe form together with Sentry Replay.

Expected Result

I would expect that setting block: ["iframe"] allows us to render the Stripe payments form without getting any errors.

Actual Result

This error is written in the console on Safari

Blocked a frame with origin "https://sentry-replay-stripe.vercel.app" from accessing a frame with origin "https://js.stripe.com". Protocols, domains, and ports must match.

jakst avatar Aug 02 '24 10:08 jakst

Ah, it's likely that we don't check the block attribute when an iframe gets added to the DOM after the snapshot.

billyvg avatar Aug 02 '24 15:08 billyvg

Ah, it's likely that we don't check the block attribute when an iframe gets added to the DOM after the snapshot.

Yeah that sounds like it could be it!

jakst avatar Aug 03 '24 16:08 jakst

@billyvg I've assigned this to you. Let me know if there's something we can help with.

andreiborza avatar Aug 05 '24 15:08 andreiborza

@andreiborza @billyvg https://github.com/getsentry/rrweb/pull/212 was just released in Sentry. I tried upgrading to v8.28.0 in my reproduction repo, but the issue is still there for me. I have confirmed that the changes from https://github.com/getsentry/rrweb/pull/212 are included in the release.

Would you consider reopening this issue? Here's the deployed app with the issue https://sentry-replay-stripe.vercel.app. You can find the repo in the original description.

jakst avatar Sep 03 '24 12:09 jakst

@jakst thanks, looks like we are attempting to attach a load event listener to the iframe even if it is blocked (I believe this is semi-intentional since we want the dimensions of the iframe after it loads because the dimensions are used for the iframe placeholder).

billyvg avatar Sep 03 '24 21:09 billyvg

Should I interpret that as "working as intended"? Or will you investigate if there are ways around it? If the browser blocks the listener from attaching to the iframe anyway, it doesn't sound like it needs to run in this case

jakst avatar Sep 04 '24 06:09 jakst

No, no conclusion yet, I've just identified the code in question (and a possible side-effect). We'll have to look into this a bit more and see if conditionally attaching event listener will cause anything unintended

billyvg avatar Sep 04 '24 15:09 billyvg

I'm experiencing the same issue, but without having Replay enabled. The only integration I have on init is reactRouterV6BrowserTracingIntegration.

I'm on sentry/[email protected].

metalmarker avatar Sep 20 '24 05:09 metalmarker

@metalmarker thanks for chiming in. Could you provide a minimal reproduction repo or stackblitz

andreiborza avatar Sep 20 '24 06:09 andreiborza

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you remove the label Waiting for: Community, I will leave it alone ... forever!

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

getsantry[bot] avatar Jan 01 '25 08:01 getsantry[bot]

Not stale

jakst avatar Jan 02 '25 17:01 jakst

I believe I might be facing the same issue.

https://www.reddit.com/r/webdev/comments/1ip16te/blocked_a_frame_with_origin_httpsglamaai_from/

Is there a way to disable this integration?

punkpeye avatar Feb 14 '25 03:02 punkpeye

Confirmed. Disabling replay fixes the issue.

punkpeye avatar Feb 14 '25 03:02 punkpeye

This should be fixed now. If you block the iframe, it won't attach a load event listener to the iframe. Released in 9.3.0

billyvg avatar Mar 14 '25 13:03 billyvg