jestjs
[Bug]: jest-runtime accesses `jsdom`'s `window.localStorage`, inviting `SecurityError`s when origin is opaque
Version
28.0.3
Steps to reproduce
Continuing the discussion from https://github.com/jsdom/jsdom/issues/2304#issuecomment-1119172182. (I agree that this is a Jest issue, not a jsdom issue.)
- Clone my repo at https://github.com/chrisbobbe/jest-repro-security-error/
-
yarn && yarn test - See output like
FAIL ./foo.test.js
● Test suite failed to run
SecurityError: localStorage is not available for opaque origins
Expected behavior
I should not get an error about using localStorage unless I'm meaningfully trying to use localStorage when it's forbidden.
Actual behavior
I get an error about using localStorage, even though I'm not meaningfully trying to use it.
Additional context
(Again, if you haven't, please see context at https://github.com/jsdom/jsdom/issues/2304#issuecomment-1119172182.)
Pasting from the test file in my repro:
// With this line, I get this output:
//
// FAIL ./sum.test.js
// ● Test suite failed to run
//
// SecurityError: localStorage is not available for opaque origins
//
jsdom.reconfigure({ url: 'file:///something' });
// …Without it, the test passes.
//
// The problem is that jest-runtime, at line
// https://github.com/facebook/jest/blob/3390ec4ef6a1b93afa816655f5c1f0605066b15a/packages/jest-runtime/src/index.ts#L1165
// , is inadvertently calling jsdom's `get localStorage`:
// https://github.com/jsdom/jsdom/blob/4c7eed155e421c3b261667b6312d4c89d2a74c1b/lib/jsdom/browser/Window.js#L417-L426
// , which throws that SecurityError when the window's location has an
// opaque origin. "file:///something" is an example of a URL with an opaque
// origin:
// https://html.spec.whatwg.org/multipage/origin.html#concept-origin-opaque
//
// I can make the error go away by changing that code in jest-runtime such
// that `envGlobal[key]` doesn't run if `key` equals "localStorage". Once I
// do that, and the same for if `key` is "sessionStorage", the test runs and
// passes.
Environment
System:
OS: macOS 12.3.1
CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
Binaries:
Node: 17.6.0 - /usr/local/bin/node
Yarn: 1.22.17 - /usr/local/bin/yarn
npm: 8.5.1 - /usr/local/bin/npm
npmPackages:
jest: ^28.0.3 => 28.0.3
I should not get an error about using
localStorageunless I'm meaningfully trying to uselocalStoragewhen it's forbidden.
Jest isn't trying to use it either. Seems aggressive from JSDOM's side to warn on access, not usage (i.e. localStorage.getItem or some such).
E.g. const jsdom = new JSDOM('<script>console.log(typeof localStorage)</script>', {runScripts: 'dangerously'}) prints the same error, killing feature detection.
Not sure if we should just ignore localStorage by default or hope JSDOM tweaks their check to be more precise.
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Might be worth an issue in jsdom to make the check a bit less strict, but skipping it in jest seems reasonable in the meantime
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 30 days.
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 30 days.
This issue was closed because it has been stalled for 7 days with no activity. Please open a new issue if the issue is still relevant, linking to this one.
This issue was closed because it has been stalled for 7 days with no activity. Please open a new issue if the issue is still relevant, linking to this one.
Looks like version 29.2.2 of jest-environment-jsdom now defaults to http://localhost/ (see https://github.com/facebook/jest/blob/main/packages/jest-environment-jsdom/src/index.ts#L64)
any news about it? i see this error in jest 29.7.0 (jest-environment-jsdom v26.6.2)
