#58978 closed defect (bug) (fixed)
Post embed iframe throws soft(?) DOMException for emoji-loader's references to sessionStorage
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 6.3 | Priority: | normal |
| Severity: | normal | Version: | 6.3 |
| Component: | Emoji | Keywords: | has-patch dev-feedback fixed-major |
| Focuses: | javascript | Cc: |
Description (last modified by )
While working on #58931 I discovered that a post embed from a site running WordPress 6.3-RC3 was causing an error to appear in the console:
Uncaught (in promise) DOMException: Failed to read the 'sessionStorage' property from 'Window': The document is sandboxed and lacks the 'allow-same-origin' flag.
at getSessionSupportTests (http://localhost:8889/2023/06/07/emoji/embed/:83:3)
at http://localhost:8889/2023/06/07/emoji/embed/:354:22
at new Promise (<anonymous>)
at wpEmojiLoader (http://localhost:8889/2023/06/07/emoji/embed/:353:2)
at http://localhost:8889/2023/06/07/emoji/embed/:438:4
Then when I wrap getSessionSupportTests in a try/catch block, I see another error appear:
Uncaught DOMException: Failed to read the 'sessionStorage' property from 'Window': The document is sandboxed and lacks the 'allow-same-origin' flag.
at setSessionSupportTests (http://localhost:8889/2023/06/07/emoji/embed/:115:3)
at worker.onmessage (http://localhost:8889/2023/06/07/emoji/embed/:379:6)
Wrapping that instance with a try/catch block then causes the errors to be suppressed. The issue is that Post Embed iframes lack the allow-same-origin value for the sandbox attribute, and so sessionStorage is not available.
What's surprising about this is even though an error appears in the console about an uncaught exception being thrown, I don't see the execution actually being interrupted anywhere. If I add code like this to wp-embed:
console.log( 'sessionStorage', sessionStorage ); console.log( 'sessionStorage.getItem("foo")', sessionStorage.getItem("foo") ); console.log( 'Howdy!' );
Then sure enough my console reads:
typeof sessionStorage === object
sessionStorage.getItem("foo") === null
Howdy!
Uncaught (in promise) DOMException: Failed to read the 'sessionStorage' property from 'Window': The document is sandboxed and lacks the 'allow-same-origin' flag.
And the callstack points to the exception being raised at typeof sessionStorage === object, even though the subsequent lines still execute.
I introduced the use of sessionStorage in #58472. I had added try/catch blocks around the calls to sessionStorage.getItem() and sessionStorage.setItem() didn't thinking that code like this could possibly cause an error:
if ( typeof sessionStorage !== 'undefined' && sessionStorageKey in sessionStorage ) {
But it does. It seems Chrome will at least emit a silent DOMException the first time that the sessionStorage object is touched. It doesn't seem to impact the execution, however.
So fixing this will clear up errors from the console, but it doesn't seem it will have any other impact.
Note this issue can be reproduced with a post embed from the same site running on the wordpress-develop dev environment.
Change History (18)
This ticket was mentioned in PR #4965 on WordPress/wordpress-develop by @westonruter.
3 years ago
#3
- Keywords has-patch added
This simply moves the try/catch blocks from inside the if statements that reference sessionStorage to instead wrap these if statements.
Trac ticket: https://core.trac.wordpress.org/ticket/58978
@westonruter commented on PR #4965:
3 years ago
#4
Diff with whitespace suppressed: https://github.com/WordPress/wordpress-develop/pull/4965/files?diff=unified&w=1
#5
@
3 years ago
While it doesn't make a functional difference, it may still make sense to commit for the WP 6.3 release still, to suppress that exception? It's extremely late in the cycle, but this is also a very simple change, so I'd be on board with that.
@westonruter commented on PR #4965:
3 years ago
#6
Humm. Somehow I pushed my branch this to origin by mistake when I meant to push it to my fork. (I'm surprised I was able to push to WordPress/wordpress-develop to begin with.) Going to create a separate PR because I suspect the branch will get blown away by the mirroring process.
This ticket was mentioned in PR #4966 on WordPress/wordpress-develop by @westonruter.
3 years ago
#7
This removes the if statements which were attempting to prevent errors related to interacting with sessionStorage. It turns out that merely referencing the sessionStorage object will cause an error, although the error does not cause an interruption in execution (in Chrome at least).
Trac ticket: https://core.trac.wordpress.org/ticket/58978
@westonruter commented on PR #4965:
3 years ago
#8
@felixarntz here's another updated version: https://github.com/WordPress/wordpress-develop/pull/4966
@westonruter commented on PR #4966:
3 years ago
#9
With whitespace changes suppressed:
@westonruter commented on PR #4966:
3 years ago
#11
#12
@
3 years ago
- Keywords dev-feedback added
- Resolution fixed deleted
- Status changed from closed to reopened
Reopening for 6.3 consideration.
#13
follow-up:
↓ 17
@
3 years ago
@azaozz Do you have any opinions / thoughts on whether we should backport this for 6.3?
#14
@
3 years ago
- Keywords fixed-major added
Just noting that if we backport this to 6.3, we'll probably need to ship a RC4 today.
Adding fixed-major as this ticket is reopened for a potential backport. The workflow keyword can be removed if this ticket is moved to 6.3.1.
This ticket was mentioned in Slack in #core by priethor. View the logs.
3 years ago
#17
in reply to:
↑ 13
@
3 years ago
Replying to mikeschroder:
The patch LGTM for merging, just silences some possible errors. Thanks @SergeyBiryukov for merging it.
I'm assigning this to 6.3 with the expectation that it would be punted to 6.3.1.