Closed jonyeezs closed 4 years ago
jonyeezs
commented
4 years ago iOS chromium implementation on iframe setup also expects objects to be sent a iframe https://github.com/chromium/chromium/blob/master/ios/web/js_messaging/resources/setup_frame.js.
And there is this SO post: https://stackoverflow.com/questions/54079756/internal-chromium-postmessage-event
jonyeezs
commented
4 years ago Suggestion we have is to ensure that we have defensive code to enforce the contract of event.data to be a string and only allow that to go through to calculateSessionStateResult.
Proposed on CheckSessionResult.cs
if (window === e.source) {
// ignore browser extensions that are sending messages.
return;
}
if (typeof e.data !== "string") {
return;
}
brockallen
commented
4 years ago Do you know why/who is sending the invalid request in the first place?
jonyeezs
commented
4 years ago The origin is from our parent website (hosting the iframe).
But we don't have any other code sending messages to the checksession iframe.
Plus it only happens on iOS chrome.
Why it is sending? No idea. There's a SO post i mentioned above with people equally as confused.
Could not find anything official from the chrome team.
jonyeezs
commented
4 years ago Has there been any progress on this? Sorry I couldn't provide more root analysis. I can't be the only one who has encountered this issue??
brockallen
commented
4 years ago I've never heard of this issue before, but your proposed change is benign enough I don't see why we can't include it in the next release.
jonyeezs
commented
4 years ago Very curious. Do you have an environment with a SPA and checkSession enabled? Wondering if others experience it on iPhone chrome as well.
The stackoverflow post kinda affirms my position. And it only happens on that browser. All other works. Must be browser specific.
On Sun, 16 Feb 2020, 12:49 am Brock Allen, notifications@github.com wrote:
I've never heard of this issue before, but your proposed change is benign enough I don't see why we can't include it in the next release.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/IdentityServer/IdentityServer4/issues/4051?email_source=notifications&email_token=ACS4BBR2JVSM45J6FMSMVCLRC76IZA5CNFSM4KQCYOW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEL3MIBY#issuecomment-586597383, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACS4BBTRFKQ5OHNQI5B2VVTRC76IZANCNFSM4KQCYOWQ .
Roach6996
commented
4 years ago I am facing similar issue. It breaks only on chrome and works on safari (iOs)
brockallen
commented
4 years ago Sorry that this slipped thru the cracks and I didn't get to it until now. PR submitted.
github-actions[bot]
commented
3 years ago This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
We can only help you if you are on the latest version. Either use the latest 2.x or 3.x Currently on version 2.5.4 (We are unable to migrate to 3 at this point in time - but will soon).
This issue is ❗critical❗ to our operation.
Unable to successfully complete check session on iPhone 12 and later Chrome. Works on Safari and other browsers.
Issue / Steps to reproduce the problem
Tooling:
Steps
errorand we get asession_erroron our front endThe
session_errorevent is a valid event where we would want the user to try logging in again or error them out. But what is failing is that the whole system works EXCEPT a foreign message gets sent to the iframe FROM the parent(!)😱Relevant parts of the log file
For testing purposes I recreated the checksession html page with our own logging to see what's happening.
This is what we get:
https://<the-parent-url-masked-for-reasons>.comevent.data)