OneSignal.isPushNotificationsEnabled() does not work in Safari iframe

[jones-rr]

Description:

code connected to isPushNotificationsEnabled() tries to call IDBFactory.open() which throws a security exception when called inside an iframe in Safari.

Steps to Reproduce Issue:

1. a.html:

<html><body><iframe src=b.html></iframe></body></html>

1. b.html:

<html><body>
<script src="https://cdn.onesignal.com/sdks/OneSignalSDK.js" async=""></script>
<script>
var OneSignal = window.OneSignal || [];
OneSignal.push(function() {
    OneSignal.init({
        appId: "...",
    });
    OneSignal.isPushNotificationsEnabled(function(b) {
        console.log ('push enabled: '+b);
    });
});
</script>
</body></html>

1. Open a.html in Safari. Open developer tools. In debug panel, put a break point for "All Exceptions". Reload.
2. Security Exception thrown trying to IDBFactory.open().

[rgomezp]

Thank you for reporting

[jones-rr]

Note this prevents the solution recommended on your page:

When user is subscribed to my.example.com, open an iframe to www.example.com. Call OneSignal.isPushNotificationsEnabled() in the iframe, which will return true for this user. Call OneSignal.setSubscription(false) in the iframe to unsubscribe the user from www.example.com, since they are already subscribed to my.example.com.

https://documentation.onesignal.com/docs/web-push-complex-integrations#section-override-subscription-status

Currently we are not sure how to implement OneSignal with a site that uses www1.example.com, www2.example.com, etc. since the recommended solution does not work.

[ejlocop]

This is what happens when running my app in the Brave browser.

[rgomezp]

@jones-rr , sorry for the delay. Are you still seeing the issue?

[rgomezp]

@ejlocop , unfortunately Brave is not currently a supported browser. We hope to add support soon

[jones-rr]

@rgomezp last time I checked - yes. Our site has www1.example.com, www2.example.com, etc. and we are not sure how to implement web push for this case, since the OneSignal recommendation is iframe but that is not supported for Safari.

[rgomezp]

@jones-rr , Can you confirm your site is HTTP and not HTTPS?

[jones-rr]

@rgomezp it's all https

[rgomezp]

My mistake. Understood. Can you include a full stack trace that includes more than just the database security exception:?

[jones-rr]

@rgomezp see attached

[rgomezp]

Howdy, Thanks for the screenshot. Would you be willing to share your site URL so we can take a look ourselves?

[rgomezp]

Closing due to no response

[jones-rr]

You can close it if you want, but whether or not I can publish a live link on our site that you can use to investigate does not mean it's not a bug.

Reproduce it yourself using the instructions I gave up above.

[jkasten2]

Using an iframe to share data between multiple domains an end-user visits isn't going to work any more due to Chrome's CHIPS / Storage Partitioning. Also, Safari already does this as well.

@jones-rr Is this your use case?