microsoft
[BUG] Safari - Block All Cookies - SecurityError The operation is insecure
Description/Screenshot
Steps to Reproduce
- OS/Browser: iOS/Safari
- First Open Settings in iPhone, Goto Safari, Goto Advance, set Block All Cookies to True (On).
- Restart Safari by closing manually
- Open a page with Application Insights JS
- How you initialized the SDK:
<script type="text/javascript">
!function(T,l,y){<!-- Removed the Snippet code for brevity -->}(window,document,{
src: "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js",
crossOrigin: "anonymous",
onInit: function (sdk) {
sdk.addTelemetryInitializer(function (envelope) {
envelope.data.someField = 'This item passed through my telemetry initializer';
});
}, // Once the application insights instance has loaded and initialized this method will be called
cfg: { // Application Insights Configuration
connectionString: "YOUR_CONNECTION_STRING"
}});
</script>
<script>
// other scripts that fail to execute here
</script>
Expected behavior Page should open normally, but page blocks and any other javascript on the page doesn't work. Additional context
The loading of page fails with an error and this blocks subsequent JavaScript on the page. Safari does not allow localStorage, sessionStorage when you set Block All Cookies to true, so the AI script needs to address this and ignore any local storage.
Is this what you "expect" or what is happening?
Page should open normally, but page blocks and any other javascript on the page doesn't work.
If it's what you expect to happen, then I don't think we can do this.
In terms of "using" LocalStorage or SessionStorage we have existing code that checks and is "supposed" to help with situations like this https://github.com/microsoft/ApplicationInsights-JS/blob/main/shared/AppInsightsCommon/src/StorageHelperFuncs.ts
@Karlie-777, @siyuniu-ms can you please investigate and identify if we have code that is not using / verifying the access correctly? As these functions exist so that if the runtime blocks storage or we are provided with config to block us from using session storage we should be gracefully handling this situation.
And one quick comment on the telemetryInitializers from your code:
sdk.addTelemetryInitializer(function (envelope) {
envelope.data.someField = 'This item passed through my telemetry initializer';
});
you didn't add a try catch inside your telemetry Initializers function and this function might throw an error as well. Because envelope.data might be undefined
and when you switch to the non-cognition mode and turn off security settings, does your app run as expected?
This seems to be working correctly.
This wasn't the blocking issue, the script was blocked by some other third party script. It just took long time to figure out due to poor debugging features of Safari as Safari never pointed the exact failure on some third party script but always pointed to AI initializer script. Strange part was removing AI script didn't cause the failure so we debugged everything for 2 days to verify where the script is failing.
So here is what is happening,
- If AppInsights is on the page, and other script is on the page, page fails to load
- If AppInsights is not on the page, but other script is on the page, page loads correctly
- If AppInsights is on the page but other script is removed, page loads correctly.
I am unable to figure out why this is happening, The issue is with safari, because Safari tells me it is AppInsights script which is accessing localStorage and it is failing, but in truth, it is the other script that is failing.
Is this due to some hooks that AppInsights is installing that we cannot get the actual error? This is not issue on other browser.
Hmm, that is odd.
We don't "hook" too many things in the runtime and nothing related to Local or session Storage (we just use the API's). Things that we do hook
fetchandXMLHttpRequest(we "patch" the entrypoints / classes so we can catch all requests (setting thedisableAjaxTrackingconfig on initialization stops us from doing this)- We listen and register a bunch of "events", but this is just using the
addEventListener, although we do track some of these with attached references (namespaces) to support multiple instances, but these use unique names so should not get in the way of anything else, we don't have any configs to disable all of these
We do dynamically update our own prototypes for our classes but this should not affect any external.
Random thought, this "other" script, is it also internally using a Version of Application Insights? If it's using another (older) version (specifically v1) there might be some clashing. For mixing v2 and v3 we perform several checks, but the older code will always tend to overwrite the newer version -- causing issues (most of these can be worked around by using npm rather than CDN, but that also means you have to redeploy to update the underlying version of AI.
Secondary thought is that have you noticed whether it's a load order problem and therefore a race condition because your loading from the CDN? ie. does it sometimes work. For the AI SDK Loader (snippet) we have a ld (load delay) setting that you can set to wait this number of milliseconds before dropping the main script tag onto the page to load the main SDK from the CDN, this can be used to delay when we are initialized (but it also means the collection of telemetry and the timing of the initial page view, will be delayed or a little off)
@MSNev
- Updated AI script to load from recent CDN. Still the same issue.
- I am not sure of the loading error, but when debug in Safari, any other script if it accesses
localStoragein privacy mode, Safari debugger takes me to AI script. We updated the other script and wrappedlocalStoragein try/catch so the error is resolved as of now.
But, I do see a debugging nightmare that for some reason Safari is probably mixing up source maps and taking it to first recorded exception instead of actual exception. This could be bug in Safari itself. I just wanted to know if any hooks or any changes of dynamic prototype changes could mix up source maps.
If your using the CDN, you can change the URL to use the non-minified version to work around the map file nightmares that some runtimes have.
basically, just "drop" the .min from the URL