[BUG] Safari - Block All Cookies - SecurityError The operation is insecure #2494
Description
Description/Screenshot
Steps to Reproduce
- OS/Browser: iOS/Safari
- First Open Settings in iPhone, Goto Safari, Goto Advance, set Block All Cookies to True (On).
- Restart Safari by closing manually
- Open a page with Application Insights JS
- How you initialized the SDK:
<script type="text/javascript">
!function(T,l,y){<!-- Removed the Snippet code for brevity -->}(window,document,{
src: "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js",
crossOrigin: "anonymous",
onInit: function (sdk) {
sdk.addTelemetryInitializer(function (envelope) {
envelope.data.someField = 'This item passed through my telemetry initializer';
});
}, // Once the application insights instance has loaded and initialized this method will be called
cfg: { // Application Insights Configuration
connectionString: "YOUR_CONNECTION_STRING"
}});
</script>
<script>
// other scripts that fail to execute here
</script>
Expected behavior
Page should open normally, but page blocks and any other javascript on the page doesn't work.
Additional context
The loading of page fails with an error and this blocks subsequent JavaScript on the page.
Safari does not allow localStorage, sessionStorage when you set Block All Cookies to true, so the AI script needs to address this and ignore any local storage.
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Development
Participants
Activity
MSNev commentedon Mar 28, 2025
Is this what you "expect" or what is happening?
If it's what you expect to happen, then I don't think we can do this.
In terms of "using" LocalStorage or SessionStorage we have existing code that checks and is "supposed" to help with situations like this https://github.com/microsoft/ApplicationInsights-JS/blob/main/shared/AppInsightsCommon/src/StorageHelperFuncs.ts
@Karlie-777, @siyuniu-ms can you please investigate and identify if we have code that is not using / verifying the access correctly?
As these functions exist so that if the runtime blocks storage or we are provided with config to block us from using session storage we should be gracefully handling this situation.
Karlie-777 commentedon Mar 28, 2025
And one quick comment on the telemetryInitializers from your code:
you didn't add a try catch inside your telemetry Initializers function and this function might throw an error as well. Because
envelope.datamight beundefinedKarlie-777 commentedon Mar 28, 2025
and when you switch to the non-cognition mode and turn off security settings, does your app run as expected?
ackava commentedon Mar 30, 2025
This seems to be working correctly.
This wasn't the blocking issue, the script was blocked by some other third party script. It just took long time to figure out due to poor debugging features of Safari as Safari never pointed the exact failure on some third party script but always pointed to AI initializer script. Strange part was removing AI script didn't cause the failure so we debugged everything for 2 days to verify where the script is failing.
So here is what is happening,
I am unable to figure out why this is happening, The issue is with safari, because Safari tells me it is AppInsights script which is accessing localStorage and it is failing, but in truth, it is the other script that is failing.
Is this due to some hooks that AppInsights is installing that we cannot get the actual error? This is not issue on other browser.
MSNev commentedon Mar 31, 2025
Hmm, that is odd.
We don't "hook" too many things in the runtime and nothing related to Local or session Storage (we just use the API's). Things that we do hook
fetchandXMLHttpRequest(we "patch" the entrypoints / classes so we can catch all requests (setting thedisableAjaxTrackingconfig on initialization stops us from doing this)addEventListener, although we do track some of these with attached references (namespaces) to support multiple instances, but these use unique names so should not get in the way of anything else, we don't have any configs to disable all of theseWe do dynamically update our own prototypes for our classes but this should not affect any external.
Random thought, this "other" script, is it also internally using a Version of Application Insights? If it's using another (older) version (specifically v1) there might be some clashing. For mixing v2 and v3 we perform several checks, but the older code will always tend to overwrite the newer version -- causing issues (most of these can be worked around by using
npmrather than CDN, but that also means you have to redeploy to update the underlying version of AI.MSNev commentedon Mar 31, 2025
Secondary thought is that have you noticed whether it's a load order problem and therefore a race condition because your loading from the CDN? ie. does it sometimes work. For the AI SDK Loader (snippet) we have a
ld(load delay) setting that you can set to wait this number of milliseconds before dropping the main script tag onto the page to load the main SDK from the CDN, this can be used to delay when we are initialized (but it also means the collection of telemetry and the timing of the initial page view, will be delayed or a little off)ackava commentedon Apr 24, 2025
@MSNev
localStoragein privacy mode, Safari debugger takes me to AI script. We updated the other script and wrappedlocalStoragein try/catch so the error is resolved as of now.But, I do see a debugging nightmare that for some reason Safari is probably mixing up source maps and taking it to first recorded exception instead of actual exception. This could be bug in Safari itself. I just wanted to know if any hooks or any changes of dynamic prototype changes could mix up source maps.
MSNev commentedon Apr 24, 2025
If your using the CDN, you can change the URL to use the non-minified version to work around the map file nightmares that some runtimes have.
CDN Debugging Support
basically, just "drop" the
.minfrom the URL