Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recurly.js Iframes throw security error when running dev server #15546

Closed
crookedneighbor opened this issue Mar 19, 2025 · 1 comment · Fixed by #15577
Closed

Recurly.js Iframes throw security error when running dev server #15546

crookedneighbor opened this issue Mar 19, 2025 · 1 comment · Fixed by #15577

Comments

@crookedneighbor
Copy link
Contributor

Describe the bug

My team is upgrading our checkout pages to Svelte, but we use Recurly and it it looks like the Svelte dev server injects some JavaScript that is interacting with the Recurly iframes in a way that causes a Security error to be thrown and halts the execution of JavaScript from Recurly's client side script interacting with the iframe. When running in preview mode, the error does not occur and the iframe and JS code runs normally.

Sample App: https://github.com/crookedneighbor/svelte-recurly-dev-issue

Screenshot of the page in dev mode:

Image

Screenshot of the page in preview mode:

Image

Digging to the JS chunk where the error originates reveals:

// a function where the array prototype is changed
function init_array_prototype_warnings() {
  const array_prototype2 = Array.prototype;
  const cleanup = Array.__svelte_cleanup;
  if (cleanup) {
    cleanup();
  }
  const { indexOf, lastIndexOf, includes } = array_prototype2;
  array_prototype2.indexOf = function(item, from_index) {
    const index = indexOf.call(this, item, from_index);
    if (index === -1) {
      for (let i = from_index ?? 0; i < this.length; i += 1) {
        // the line below is the one where the error gets thrown
        if (get_proxied_value(this[i]) === item) {
          state_proxy_equality_mismatch("array.indexOf(...)");
          break;
        }
      }
    }
    return index;
  };

In this case, the this is an array containing the Window and the Recurly's iframe contentWindow. And calling get_proxied_value on the iframe's contentWindow throws the error.

Here's the get_proxied_value function:

function get_proxied_value(value) {
  if (value !== null && typeof value === "object" && STATE_SYMBOL in value) {
    return value[STATE_SYMBOL];
  }
  return value;
}

The part it doesn't like is checking STATE_SYMBOL in value, where value is the Recurly iframe's contentWindow. My guess is this function should have a try/catch and return the value. If I go in and modify it to this, it works just fine:

function get_proxied_value(value) {
  try {
    if (value !== null && typeof value === "object" && STATE_SYMBOL in value) {
      return value[STATE_SYMBOL];
    }
    return value;
  } catch (e) {
    return value;
  }
}

This is preventing us from upgrading our checkout to Svelte.

Reproduction

Repo: https://github.com/crookedneighbor/svelte-recurly-dev-issue

Reproduction in Dev Mode

  • Run the server in dev mode 
    npm run dev
  • load the app, see the Recurly iframe load, but notice the JS fails to populate the card number or validations
  • check the console and see security error

No Error Running in Preview Mode

  • Run the server in preview mode 
    npm run build
npm run preview
  • load the app, see the Recurly iframe load and JS loads the card number fields
  • no console errors

Logs

Browser logs:


Uncaught SecurityError: Blocked a frame with origin "http://localhost:5173" from accessing a cross-origin frame.
    at array_prototype2.indexOf (chunk-PENI7PX3.js?v=2071926b:1411:13)
    at recurly.js:2:6599
    at Array.filter (<anonymous>)
    at s.value (recurly.js:2:6569)
    at s.value (recurly.js:2:6026)
array_prototype2.indexOf @ chunk-PENI7PX3.js?v=2071926b:1411
(anonymous) @ recurly.js:2
value @ recurly.js:2
value @ recurly.js:2

System Info

System:
    OS: macOS 14.7.2
    CPU: (11) arm64 Apple M3 Pro
    Memory: 139.77 MB / 36.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 18.20.7 - ~/.nvm/versions/node/v18.20.7/bin/node
    npm: 10.8.2 - ~/.nvm/versions/node/v18.20.7/bin/npm
  Browsers:
    Chrome: 134.0.6998.89
    Safari: 18.2
  npmPackages:
    svelte: ^5.23.2 => 5.23.2

Severity

blocking an upgrade
@potch
Copy link

potch commented Mar 19, 2025

It appears that the error stems from Array prototype overrides made by init_array_prototype_warnings();, which it looks like are only applied in dev mode:

	if (DEV) {
		// @ts-expect-error
		element_prototype.__svelte_meta = null;

		init_array_prototype_warnings();
	}

These warning checks are leading to <iframe> security errors. Is it possible to opt-out of this prototype patching, even in dev mode?

crookedneighbor added a commit to crookedneighbor/svelte that referenced this issue Mar 21, 2025
@crookedneighbor
fix: allow get_proxied_value to return original value when error
c9acb66 
closes sveltejs#15546
crookedneighbor added a commit to crookedneighbor/svelte that referenced this issue Mar 21, 2025
@crookedneighbor
fix: allow get_proxied_value to return original value when error
daa9559 
closes sveltejs#15546
crookedneighbor added a commit to crookedneighbor/svelte that referenced this issue Mar 21, 2025
@crookedneighbor
fix: allow get_proxied_value to return original value when error
afbe254 
closes sveltejs#15546
@crookedneighbor crookedneighbor mentioned this issue Mar 21, 2025
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: allow get_proxied_value to return original value when error crookedneighbor/svelte
2 participants
@potch @crookedneighbor