Handle localStorage security exceptions

[acdha]

The demo at https://hacks.mozilla.org/2013/02/subtome-a-better-subscribe-button/ fails in Chrome 24 because https://s3.amazonaws.com/www.subtome.com/load.js loads the actual script from an insecure HTTP URL, leading to a failure when https://github.com/superfeedr/subtome/blob/master/src/services.js#L7 attempts to call localStorage.getItem('services');

Obviously this could be worked around by serving the script payload using HTTPS but that exception really should be reported to the user - or possibly just by having localStorage failures use an anonymous completely default experience.

[julien51]

Thanks @acdha for reporting that. I actually use Chrome Version 24.0.1312.57 and can't seem to reproduce. There is indeed a warning when loading the non https iframe. My concern though is that we need to load the data from the subtome.com domain, as this is the only domain on which the localStorage data can be accessed, and it this point, it looks like we cannot use HTTPS on S3 for a custom domain.

You seem to indicate that more than a warning, you actually get an error. Do you mind telling me more?

[acdha]

It triggers a DOMException in Chrome Mac 24.0.1312.57:

Uncaught Error: SECURITY_ERR: DOM Exception 18 

loadServices (subscribe.subtome.js:1216)
Services (subscribe.subtome.js:1212)
(anonymous function) (subscribe.subtome.js:1281)
require.modules.(anonymous function) (subscribe.subtome.js:155)
require (subscribe.subtome.js:7)
require_ (subscribe.subtome.js:144)
(anonymous function) (subscribe.subtome.js:1288)
require.modules.(anonymous function) (subscribe.subtome.js:155)
require (subscribe.subtome.js:7)
(anonymous function) (subscribe.subtome.js:1347)

In practice, this means that nothing visible happens when you click on the button.

[julien51]

I am really puzzled, because I use the exact same version on my Mac and I don't get this security error. A warning yes, but not an error. Also the popup shows up nicely. Any flag that you could have setup that would trigger that?

[acdha]

I have third-party blocking enabled in the cookie preferences. I believe that's the same policy used for localeStorage.

Chris

On Monday, February 18, 2013 at 12:28 AM, Julien Genestoux wrote:

I am really puzzled, because I use the exact same version on my Mac and I don't get this security error. A warning yes, but not an error. Also the popup shows up nicely. Any flag that you could have setup that would trigger that?

— Reply to this email directly or view it on GitHub (https://github.com/superfeedr/subtome/issues/1#issuecomment-13707031).

[julien51]

You are right, that's the cause of this. Do you know if this is the default settings or did you set that up yourself?

[acdha]

I believe it's not enabled by default but it seems to be fairly popular.

Chris

[julien51]

Chris, It seems that the only solution to this is to host the files for SubToMe somewhere with HTTPs on subtome.com.

I'll look into that later today..; Thanks for your help!

Julien

[julien51]

@acdha Chris, I have now fully moved SubToMe over to an https only host. I tested an it seems that this issue is still here, even though the whole chain is now using https. I am really not sure what is going on and why Chrome gives us so much pain here. Any idea?

The only work around at this point is to uncheck the 'Block third-party cookies and site data' option in Chrome's settings if you get the 'Uncaught Error: SecurityError: DOM Exception 18 ' Error.

[acdha]

The easiest way to handle it might be to simply catch the exception and alert the user, maybe falling back to the default service list?

[julien51]

Indeed, I think that's what we'll do for now... I'm sure there is a way around that exception. Thanks,

[julien51]

@acdha Chris, I just pushed a version with a message for the user when that settings is enabled. I also used the instructions given by Disqus when this setting is enabled.

Thanks a lot for your precious help!

[acdha]

Works perfectly - thanks!