[Help request] Can't get dumber gist work on Brave in an iframe.

[bigopon]

Simply navigate to https://buttonwoodcx.github.io/doc-bcx-validation/examples/foreach-and-nested on Brave browser, can't seem to get it to work even when turning off the shield

Getting FS errors, something like this:

[3cp]

I saw different error. Somehow brave prevented the nested iframe (the embedded app iframe in the dumber-gist example iframe).

__boot-up-worker.html:1 Uncaught (in promise) DOMException: Failed to register a ServiceWorker for scope ('https://5887cc0e17694eb2261c5e6d2776b600.gist.dumber.app/') with script ('https://5887cc0e17694eb2261c5e6d2776b600.gist.dumber.app/__dumber-gist-worker.js'): The user denied permission to use Service Worker.

[bigopon]

So, i checked and saw this

The cookies at [hash].gist.dumber.app is blocked, even with my allowance for:

It seems [hash].gist.dumber.app is considered a different site

[bigopon]

and it seems to work fine on FF for me now, after I added the same config above

[bigopon]

It also works fine on Chrome after the permission above

[3cp]

I am confused why Chrome and Brave (save engine) requires cross-origin cookie for service worker to work.

There is no doc said service worker needs cookie at all. I could not find any clear explanation.

In comparison, even I turn on "block all cookies" in Safari, dumber-gist still works in iframe. Safari clearly didn't check cookie permission for service worker.

[3cp]

Dumber-gist itself uses no cookie at all.

[3cp]

One thing might be related, cloudflare created a cookie __cfduid on domain .dumber.ap.

[3cp]

https://github.com/brave/brave-browser/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+iframe

[bigopon]

Thats a lot of issues. Though codesandbox works for me in iframe

[3cp]

Probably my limited understanding on service worker.

codesandbox can fall back to use backend, that might help.

[3cp]

Will try sandbox attribute tomorrow https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/

I guess both brave and safari had implicitly turned on some sandbox on iframe without sandbox attribute. They manifested into different issues.

allow-same-origin is probably the critical restriction to be lift off.

[3cp]

Nope :-( It didn't help Brave with sandbox="allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts". Although the additional sandbox attribute still worked in other browsers.

[3cp]

It did fix brave by turning off one config in brave shields.

Cookies, from "Only block cross-site cookies" to "All all cookies".

BTW, it's hyper confusing that Chromium (and Brave) uses term "cookies" to mean "cookies, and localStorage and few other things".

[3cp]

Turning shields off also worked for me.

[3cp]

I need to detect brave browser (and shields if possible), then tell user what to do if service worker didn't boot up after timeout.

[3cp]

https://github.com/brave/brave-browser/issues/8216

[3cp]

Partially addressed this issue by telling user what to do when service worker failed.

[3cp]

@bigopon is this considered "fixed"? Dumber gist now shows some readable error message on failed service-worker, notifies user how to get around browser issue.

[bigopon]

Yes, thanks @3cp . The solution is to upgrade to latest Brave