Open gabrielecirulli opened 5 days ago
The following snippet is also a useful test to run on play2048.co
:
Array.from(document.querySelectorAll('iframe')).filter(
(iframe) => iframe.src === 'about:blank'
).forEach((iframe, i) => {
console.log('updating iframe', i);
iframe.src = 'https://example.com';
});
When I do the above, the CSP error appears and any resize observers that depend on those iframes stop working. The UI is still responsive but layout breaks.
An alternative approach if we want to keep the listeners intact may be to listen to onload
and check src
and if it's not about:blank
, to immediately reset it to about:blank
and bail. Further calls to onload
would then be able to safely hook into the iframe because the src
is fixed.
Alternatively, Svelte 5 is switching to using ResizeObserver
for these bindings - https://svelte-5-preview.vercel.app/docs/breaking-changes#modern-browser-required - At this point, I'm not sure we want to put much effort into the iframes mechanism.
Might still be nice to prevent such CSP errors if there’s a simple way to do so. If anything it might prevent Sentry error quotas being blown up :)
I deployed the same Svelte code with additional console.log statements directly in the runtime source, but it shows the src hasn’t changed when the callback triggers, even though the SecurityError is still thrown.
Describe the bug
I am encountering this error in my Sentry logs:
A snapshot of the error is available here.
Here's what I've found so far:
<iframe>
resize listeners used by Svelte.about:blank
assrc
should adhere to the same-origin policy and avoid CSP errors.Link to the relevant function at the version I'm using (
4.2.19
)I have ads on my page and I suspect some third-party script is intercepting these
<iframe>
s and altering theirsrc
.Changing the
src
of these<iframe>
s would re-trigger theonload
function defined by svelte, repeating the call toiframe.contentWindow.addEventListener("resize")
, which is likely undesired.A potential mitigation could be removing the
onload
listener as soon as the "resize" event listener is added. In my testing with the snippet included below this seems to prevent the CSP error, but I'm unsure if the resize listener persists after the iframesrc
changes.Potentially related article: https://help.noibu.com/hc/en-us/articles/4413414445069-Blocked-a-frame-with-origin-xyz-from-accessing-a-cross-origin-frame
Reproduction
https://play2048.co
, open the Safari dev tools, and paste.iframe.onload = undefined
line and run again. No error will happen.Logs
https://2048-ip-holding-bv.sentry.io/share/issue/0b2c4cdbea0d4adaaba28ba66003c584
System Info
Severity
annoyance