remark42
remark42 copied to clipboard
umputun
The operation is insecure
remark installed on domain comments.foo.com and I try to use it on domain blog.bar.com
Request to access cookie or storage on “https://comments.foo.com/web/iframe.html?site_id=some_id&url=https%3A%2F%2Fblog.bar.com%2F2017%2F06%2F08%2Fhow-to-use-apache-asynchttpclient-with-kotlin-coroutines%2F” was blocked because we are blocking all third-party storage access requests and content blocking is enabled. embed.js:1:1672
Request to access cookie or storage on “https://comments.foo.com/web/iframe.html?site_id=some_id&url=https%3A%2F%2Fblog.bar.com%2F2017%2F06%2F08%2Fhow-to-use-apache-asynchttpclient-with-kotlin-coroutines%2F” was blocked because we are blocking all third-party storage access requests and content blocking is enabled. remark.js:formatted:4259
SecurityError: The operation is insecure. remark.js:formatted:1285
Is it latest safari with "prevent cross-site tracking"? If so, this is the known issue due to the iframe usage. I think all other systems with similar logic have the same problem, see for example this discussion. Btw, all of this seems to work fine if domains related, i.e. www.example.com and remark42.example.com.
@igoradamenko is trying to address it. If anyone has bright ideas on how to handle it - pls share.
Btw, all of this seems to work fine if domains related, i.e. www.example.com and remark42.example.com
yes, for same domain it works, i.e. comments.foo.com can be used in foo.com, but not in bar.com.
@IRus, because of security reasons; lots of them.
Could you imagine third-party widget on any site without an iframe?
Why you treat self-hosted solution as third-party? You already load some JS, so what the problem to do all job within this file? What vectors of attack you considered?
@IRus, that's the open question, actually.
On the one hand, “self-hosted” means that user understands and considers ricks (e.g. conflict between site's JS & CSS and widget's ones). On the other hand, “self-hosted” means that user can deploy it once and use on every site that he wants to (e.g. p.umputun.com, podcast.umputun.com, radio-t.com, news.radio-t.com), and Remark in this case shouldn't affect anything around it.
Also I'm not sure that iframe-less architecture throws all problems away. But if we can't find solution for this problem, we will try iframe-less, yes.
@igoradamenko with preact, post-css/sass/less, bem-like approach, plus shadow dom (about 80% support) you can build mature solution for conflicting styles/js problems.
I believe you can do it :+1:
I've found that "the operation is insecure" is caused by getCollapsedComments(). Every call to localStorage while in situation when iframe is on 3rd-party domain and third-party cookies blocked in Firefox throws an Error.
I thought of making pr: https://github.com/Reeywhaar/remark/tree/third-party-cookie-crash but the changes made there only patch localStorage, so that comments iframe doesn't crash, and at least show some comments. It's an open question, should Remark try to pass through privacy restrictions, or just disable login and show some message that "your browser settings prevent access to storage, every changes will be wiped on reload"?
@Reeywhaar at least user can see comments in such case, and user can leave comments. So as quick fix it's good solution.
@IRus User still will not be able to login, because cookies also disabled, they just silently fail on set and are empty on get. User ends with {"details":"failed to get jwt","error":"jwt cookie was not presented: http: named cookie not present"} error on oauth.
The situation seems to be resolved, and current issues with using another domain are described in the documentation (and all related to auth). Resolving this issue, feel free to comment if the issue persists.
