Cross-domain communication broken in latest Chrome (115+) #54
Comments
|
Thanks for bringing this to my attention. I need to read more about Storage Partitioning and decide what to do. Maybe I will just update the docs (README) with a warning about this security feature. |
|
I've asked the question where you are supposed to give feedback about the API. |
|
Any updates about this issue, im having same problem with the latest version of chrome |
|
You can follow the updates here privacycg/storage-access#102 |
|
I think you should look into issues with the title "Extending Storage Access API (SAA) to non-cookie storage". It looks promising but we need to wait for it to be implemented in browsers. |
|
Looks like something is happening per this new comment. Would be waiting on Chrome 121 Stable mid Jan '24 release which should have support for the broadcast channel "fix", which is what we need, but we can probably test in beta a bit sooner. So far the origin trial has been working fine for me, but that'll expire Sept '24. |
|
Yes, I will test with Beta and see how it will work. |
|
I was able to make it work with localStorage. BroadcastChannel doesn't work yet even in Beta 121. In order to use the code you need to register for the Origin Trail: StorageAccessAPIBeyondCookies. But the library just works: You can test it at: |
|
I was too fast, there is still an issue with sending messages. |
|
It's working now, I've used the wrong token, I though that it was the same token for both domains. |
|
There were some issues with the library when localStorage was used, the Now everything in the demo should work. Also, the API may change but they added BroadcastChannel as a function, not a constructor. They said it would be odd to have new in front of the method. |
|
One more update for the code and the tracking events. Note that this works properly only in Chrome 121 (I'm not sure why the code doesn't work properly - only tracking - in Chrome 120). Also few updates:
For both cases the user needs to make an interaction with the iframe and requestStorageAccess needs to be triggered in an event that is triggered by the user. |
|
So I tested on Beta 121 and stable 120. On the Beta version, the tracking works 10/10 times when I refresh the page. But in stable 120 it is like 3/10 when it works. I hope when the 121 will be released it will work as expected. |
|
Perhaps I have encountered a similar problem as well. I reread the question. |
|
@mdxiaohu The error "May not be used in an insecure context" means that you don't use HTTPS. |
|
@jcubic Thank you for your reply. The difficulty of this issue is that our three systems do not have domain names and cannot use HTTPS, as they are deployed on the internal network. |
|
But do you use an IP address instead of a domain name? You don't need to have a project public over the internet to have a domain name. |
Yes, only IP can be used. The rest is not up to me to make decisions, after all, it is the customer's request. |
|
I don't know what is your setup but adding DNS for internal network should not be that hard. It will also make life easier since you will not need to keep remembering the IP addresses to access application. When I was working for Roche all internal application were roche.com or roche.net subdomains even that the names were not public. But I'm not sure how hard is to set it up. |
|
I can see if I can disable the requestStorageAccess for no https but if you have different origins with IP addresses you will not be able to use Cross-Origin in Chrome. You need to setup DNS and get the token for Origin Trail. |
|
Different national conditions make it difficult not for technology, but for leadership requirements. For example: ”You need to setup DNS and get the token for Origin Trail.“ I tried to obtain a token today, but when I filled in the IP address, it prompted me that the verification did not pass. When I fill in the domain name, I can obtain the token normally. My hope: |
Okay, thank you for your work and reply. I will continue to monitor the progress. |
|
I can check maybe port difference don't fall into storage partition. Try using version 1.16.3 maybe you don't need all of this. |
|
You are really too strong, thank you very much.
|
|
Ok, so if cross-domain communication works then probably a different port doesn't create different partitions same as with the subdomain. I can add check |
|
Thank you very much for your reply and help.
|
|
There are two concepts here Cross-Originn request and Storage Partition that were added in recent Chrome. Cross-origin is sending requests to a different origin (different port qualify) but storage partitioning is a Chrome feature that blocks 3rd party cookies and other storage. You can access data from a different partition unless you request permission. The partition is not triggered in Chrome for subdomains on the same domain. And it seems the same happens with different ports. Because Chrome thinks that this is secured and considers the same domain according to this new Feature. |
|
At least based on current performance, the functionality is available when the ports are different.
Regarding the init method, this is its implementation. |
|
requestStorageAccess is not used instead of PostMessage. It's only additional code that is required for Cross-Domain communication in recent Chrome. I think that I will just expose the API somehow and make the user call this function inside an iframe where they want to access a different domain. This will also make sure that it will be user responsibility to call it in user triggered event. |
|
I am having the problem that if I do: remote = window.open('https://example.com/')
setTimeout(() => remote.postMessage('foo', '*'), 5000)Chrome silently refuses to send the message unless the source window and new window have the same origin. Firefox and Safari however send the message fine regardless of cross-origin status. I am having trouble understanding this behaviour, because the whole point of (Apologies if this is the wrong place to ask, but I can't find anyone discussing this fundamental brokenness anywhere, and while I have no idea what anyone is talking about in the conversation above, it sounds related.) |
|
You probably have other errors in your code that you don't show. Since your code works just fine: See: https://jcubic.pl/post.html Tested in Chrome 121 and Firefox 122 on Fedora. If your code doesn't work if you create a simple reproduction I suggest reporting an issue to the Chromium project. |
Thanks. I investigated further in response to your message and it turns out that it's due to the sending site (not the receiving one) setting the HTTP header (That header being set on the receiving site also blocks |
|
Cross-Origin-Opener-Policy is for This has nothing to do with postMessage. Can you share your code, it's hard to figure what what is the problem if you don't show your real code. |
|
What I posted literally is my real code. I also tried cut'n'pasting your exact code onto my own site, and as you say it works fine, but if I make either the site hosting |
|
You can see it here: https://unequivocal.eu/post.html . It's identical to your code except I made it so it's triggered by a button click rather than on page load, so as to get around pop-up blocking. The recv.html page does not get the message. And at https://unequivocal.eu/post-no-coop.html you can see the exact same page code but the server isn't sending the COOP header, and recv.html receives the message fine. |
|
And it only happens in Chrome? Why do you need to use that header? can you just get rid of it? If this only happens in Chrome you can report a bug to Chromium as I said earlier. |
|
Now I understand what's happening I was able to check properly, and Firefox and Safari have the same behaviour. I can remove the header from the sending server, but the receiving servers are not under my control, which means that The fact that all browsers are doing this is somewhat mysterious given I cannot see anything in the WHATWG HTML standard that specifies it (neither under the |
|
You can try using proxy iframe if you can upload files to the target server. This is what this library is doing. Also note, that you don't need to open the other website with |
|
The only access I have to the target server is that I can ask the site owner to add a single <script> tag to their site template which loads a script from my server. So it ought to be a piece of cake to register a |
|
I just added detection of Storage Access API by checking |
|
I'm closing this one, it should work now. |
This is mostly a thread to share my experiences with the issues with my cross-domain setup using sysend.js, which stopped working several months ago, but I only now was able to dig in to it and figure out what was happening.
When I tested your built-in cross-domain demo (https://jcubic.pl/sysend-demo/) it still worked, so at first, I thought the issue was due to something with my setup (I only load one iframe since that seemed to be enough for me to get full functionality, see #29 & #37). So I first updated to the latest version of sysend, and when I still had issues, next changed my setup to be configured with dual iframes, but ultimately had the same issues. Lastly, I tried toggling the enforcement of using the
localStoragefeature viasysend.useLocalStorage(), but no differences.Switching to evaluating the roots of the problem,
broadcastChannel.postMessagewould never propagate from an iframe window to a tab with the same domain when that iframe was rendered under a page with a different domain. The same holds true for anylocalStorageevents (all of thelocalStoragedata was completely different and isolated, even though the tab and iframe were from the same origin).In my case my two sites are different domain origins entirely (
a.subdomain1.comvsb.subdomain2.com), where as your cross-domain demo are both under the same domain, just one is a subdomain (jcubic.plvsterminal.jcubic.pl) which is why I suspect the demo still works, although I couldn't find any documentation anywhere for that exception. I did try the setup for my domains with different subdomains but under same main domain, and it did work, but unfortunately I can't make that change in production since it'll break a lot of users access (on both sites) to various resources (too many hardcoded URL's in emails).Ultimately, the issue is due to a new feature coming down the pipe in browsers, storage/state propagation. I investigated Chrome specifically since that's what we work with internally, so the situation for Firefox or Edge could be different. For Chrome, this feature started in Chrome Beta 113, but was officially available in the production release of Chrome 115 (I'm on 117 atm), which was released back in July '23 I think, which kind of lines up with when I suspect this issue started to occur for me. FYI, I believe that they are rolling out this feature to users slowly, so not all users on latest Chrome version may be affected by it.
For Chrome, there is a way to register in an Origin Trial and submit a form which essentially will generate you a code that you then embed in your site (as a meta tag, or a http header in some cases). You have to provide it your top-level site domain and specify some other settings (i.e. subdomain wildcard, third-party script injection, usage count, etc). Ultimately, this allowed me to restore this functionality to my site in the latest chrome browser version without needing all users to disable a chrome feature flag or anything like that, HOWEVER, this code/trial will expire (supposedly) by Sept 2024 (link), which if anything, at least gives me a year to figure out an alternative (or actually migrate to using same domain origin). I'm hoping that they enable some sort of way to enable a whitelist of allowed domains to have unpartioned cross-origin access to these resources before the trial expiration date.
If anyone has any other suggestions or knows more about this, I'm all ears. But until then, I hope this helps someone else.
Other useful links:
https://developer.chrome.com/en/docs/web-platform/origin-trials/#take-part-in-an-origin-trial
https://developer.chrome.com/docs/web-platform/origin-trial-troubleshooting/
https://developer.chrome.com/docs/web-platform/third-party-origin-trials/
https://chromeenterprise.google/policies/atomic-groups/#ThirdPartyStoragePartitioningSettings
Credit to @yangon99's comment which was my first hint of the source of the issue being related to the new storage partitioning feature.
The text was updated successfully, but these errors were encountered: