New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable iframe fallback if browser is in crossOriginIsolated mode #703
Comments
Thanks for raising this @tekilla123. I can see the problem - with the headers set I get absolutely nothing to tell me that something is wrong, the iframe just eventually times out. Looking at your code, we should probably just throw a I will add it to our internal backlog 👍 |
In my current understanding of the issue, the cleanest solution would be if the iframe has the CEOP and CORP headers set. This would fix the token refresh via iframe without logging in again. Is there a feature to set such headers on the see: https://web.dev/coop-coep/
|
@tekilla123 We don't have such a feature, but it's one to explore when we investigate what we can do here. |
@stevehobbsdev this looks like a really severe issue (though it only applies to a small subset of users) that should be fixed on the Auth0 side |
This issue needs to be fixed by Auth0 if they want customers who have WASM-enabled applications. Cross-Origin-Embedder-Policy: require-corp Starting from Chrome version 92 enabling these headers and using auth0 won't work. https://developer.chrome.com/blog/enabling-shared-array-buffer/ This would be a relatively small and quick fix if you allow users to designate if they would like to use the iframe approach or URL redirection. |
Thanks @kennaku1. It's on my plate to resolve within the next couple of weeks - stay tuned! |
@stevehobbsdev any news on implementing this feature? It is a really crucial one for web apps using Auth0 and SharedArrayBuffers. The iframe should be served with |
Describe the problem you'd like to have solved
We use the SharedArrayBuffer and wasm-threads in our application. Therefore we have to set the Browser to cross-origin isolated mode by using the following headers on the main page.
With this setup we cannot use this SDK, because it falls back to an iframe in several scenarios. The browser blocks those iframes, because they do not have a CORP header set. Afaik there is no option to add a CORP-header on the auth0 iframe.
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
See: https://web.dev/coop-coep/
This behaviour has been introduced in Chrome 88 and is enforced in Firefox for a while now.
Describe the ideal solution
This use case should be handled by the sdk transparently or, if the iframe fallback fails, a 'login_required' should be thrown.
Alternatives and current work-arounds
We solved it by preventing the iframe attempt and redirecting the browser to the login.
https://github.com/tekilla123/auth0-spa-js/commit/7cf90cab882f419228ea7adb36b1f2497a87a75d
Additional context
see: https://community.auth0.com/t/use-spa-sdk-with-cross-origin-embeder-policy/57285
The text was updated successfully, but these errors were encountered: