iframe tag missing allow-same-origin, prevents loading SDK in iframe

kevmo314 commented 3 years ago

[REQUIRED] Describe your environment

Operating System version: Windows 10
Browser version: Edge 90.0.818.51
Firebase SDK version: 8.2.1
Firebase Product: database

[REQUIRED] Describe the problem

iframing a cross-domain page that invokes the firebase js sdk seems to result in an error.

BrowserPollConnection.ts:503 Sandbox access violation: Blocked a frame at "https://overlays.rtirl.com" from accessing a frame at "null".  Both frames are sandboxed and lack the "allow-same-origin" flag.
BrowserPollConnection.ts:518 Uncaught DOMException: Blocked a frame with origin "null" from accessing a cross-origin frame.
    at Function.ji.createIFrame_ (https://overlays.rtirl.com/__/firebase/8.2.9/firebase-database.js:1:110223)
    at new ji (https://overlays.rtirl.com/__/firebase/8.2.9/firebase-database.js:1:112331)
    at n (https://overlays.rtirl.com/__/firebase/8.2.9/firebase-database.js:1:105983)
    at Qi.open (https://overlays.rtirl.com/__/firebase/8.2.9/firebase-database.js:1:107180)
    at https://overlays.rtirl.com/__/firebase/8.2.9/firebase-database.js:1:117875

The relevant failure line is here: https://github.com/firebase/firebase-js-sdk/blob/master/packages/database/src/realtime/BrowserPollConnection.ts#L500

Steps to reproduce:

Domain foo.com:

<iframe sandbox="allow-same-origin allow-scripts allow-popups allow-forms" src="bar.com"></iframe>

Domain bar.com:

<script src="... firebase js sdk ..."></script>
<script>
firebase.initializeApp(...);
firebase.database()...
</script>

Should result in the above exception.

If I understand same-origin policies correctly, I believe the sdk just needs to add the sandbox="allow-same-origin" attr to the created iframe element?

looptheloop88 commented 3 years ago

Hi @kevmo314, thanks for the report and apologies for the delay in response. I was able to replicate this issue using the latest SDK version 8.6.2.

Per this similar issue filed before, it's working as expected. Let me check and update this thread for the explanation as to why, or bring someone here.

kevmo314 commented 3 years ago

I see, thanks for the link. An explanation or documentation would definitely be appreciated. At the very least if it's WAI, a better error message so others don't waste time debugging. :)

b-smets commented 2 years ago

Any update on this? We are also facing this with an iframe which is sandboxed to disallow allow-same-origin. The workaround in https://github.com/firebase/firebase-js-sdk/issues/123 relies on forcing websockets but some firewalls block them.

firebase / firebase-js-sdk