-
Notifications
You must be signed in to change notification settings - Fork 902
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: CORS error while using iframes #2176
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎ |
Thank you for following the naming conventions for pull request titles! 🙏 |
packages/surveys/src/components/general/Survey.tsxConsider specifying the target origin in the postMessage call to ensure the message is only sent to the intended domain. This will prevent any potential data leaks if there are other iframes from different origins on the page. // Replace "*" with the target origin
window.parent.postMessage("formbricksSurveyCompleted", "https://target-origin.com");
|
const event = new CustomEvent("formbricksSurveyCompleted", { detail: { surveyId: survey.id } }); | ||
window.top?.dispatchEvent(event); | ||
// Post a message to the parent window indicating that the survey is completed. | ||
window.parent.postMessage("formbricksSurveyCompleted", "*"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace '*' with the target origin in the postMessage call to ensure the message is only sent to the intended domain.
window.parent.postMessage("formbricksSurveyCompleted", "*"); | |
window.parent.postMessage("formbricksSurveyCompleted", "https://target-origin.com"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Dhruwang thanks for the PR; looks great 😊💪
What does this PR do?
Fixes iFrame issue #2172
The error is a result of the same-origin policy, a critical security mechanism in web browsers. This policy restricts how a document or script loaded from one origin can interact with resources from another origin. In our case, the script is trying to access a frame (window.top) that is not of the same origin.
For our onboarding it works well because the iframe in embedded in a parent with the same origin as of the onboarding survey (
https://app.formbricks.com
), but it throws an error when iframes are embedded on pages with origin different fromhttps://app.formbricks.com
So to solve this we now use
Window: postMessage()
. Thewindow.postMessage()
method safely enables cross-origin communication between window objects; e.g. between a page and an iframe embedded within it.Read about window.postMessage()
How should this be tested?
Testing this would require creating a survey locally (not on cloud), and embed it using iFrames on
Checklist
Required
pnpm build
console.logs
git pull origin main
Appreciated