Disable iframe fallback if browser is in crossOriginIsolated mode

[ghost]

Describe the problem you'd like to have solved

We use the SharedArrayBuffer and wasm-threads in our application. Therefore we have to set the Browser to cross-origin isolated mode by using the following headers on the main page.

With this setup we cannot use this SDK, because it falls back to an iframe in several scenarios. The browser blocks those iframes, because they do not have a CORP header set. Afaik there is no option to add a CORP-header on the auth0 iframe.

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

See: https://web.dev/coop-coep/

This behaviour has been introduced in Chrome 88 and is enforced in Firefox for a while now.

Describe the ideal solution

This use case should be handled by the sdk transparently or, if the iframe fallback fails, a 'login_required' should be thrown.

Alternatives and current work-arounds

We solved it by preventing the iframe attempt and redirecting the browser to the login.
https://github.com/tekilla123/auth0-spa-js/commit/7cf90cab882f419228ea7adb36b1f2497a87a75d

Additional context

see: https://community.auth0.com/t/use-spa-sdk-with-cross-origin-embeder-policy/57285

[stevehobbsdev]

Thanks for raising this @tekilla123. I can see the problem - with the headers set I get absolutely nothing to tell me that something is wrong, the iframe just eventually times out.

Looking at your code, we should probably just throw a login_required error here but not automatically redirect away - we'd prefer to leave that decision up to the developer (they might prefer to use a popup instead).

I will add it to our internal backlog 👍

[ghost]

In my current understanding of the issue, the cleanest solution would be if the iframe has the CEOP and CORP headers set. This would fix the token refresh via iframe without logging in again.

Is there a feature to set such headers on the /authorize-iframe in auth0? .

see: https://web.dev/coop-coep/

cross-origin-embedder-policy: require-corp
cross-origin-resource-policy: cross-origin

[stevehobbsdev]

@tekilla123 We don't have such a feature, but it's one to explore when we investigate what we can do here.

[nick4fake]

@stevehobbsdev this looks like a really severe issue (though it only applies to a small subset of users) that should be fixed on the Auth0 side

[kennaku1]

This issue needs to be fixed by Auth0 if they want customers who have WASM-enabled applications.
Many of these applications need to use SharedArrayBuffer's which are now only available when headers are added to your page:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

Starting from Chrome version 92 enabling these headers and using auth0 won't work.

https://developer.chrome.com/blog/enabling-shared-array-buffer/

This would be a relatively small and quick fix if you allow users to designate if they would like to use the iframe approach or URL redirection.

[stevehobbsdev]

Thanks @kennaku1. It's on my plate to resolve within the next couple of weeks - stay tuned!

[miguelcobain]

@stevehobbsdev any news on implementing this feature? It is a really crucial one for web apps using Auth0 and SharedArrayBuffers.

The iframe should be served with Cross-Origin-Resource-Policy: cross-origin header.