Facebook和Cross Domain Messaging的SecurityError [英] SecurityError from Facebook and Cross Domain Messaging

问题描述

我们有一个利用facebook javascript sdk和登录功能的应用程序。

We have an application that utilizes the facebook javascript sdk and login capabilities.

我们一直注意到生产日志中出现此错误。特别适用于版本为10.3及更高版本的iOS设备。似乎也只是针对safari浏览器

We've been noticing this error come up in our production logs. Specifically for iOS devices with versions 10.3 and higher. Also seems to only be targeting safari browsers

SecurityError（DOM Exception 18）：阻止了一个包含原点的帧
https://www.mymadeupsite.com 访问来源于
的框架 https://staticxx.facebook.com 。正在访问的框架将
document.domain设置为facebook.com，但请求访问
的框架没有。两者都必须将document.domain设置为相同的值以允许
访问。

SecurityError (DOM Exception 18): Blocked a frame with origin "https://www.mymadeupsite.com" from accessing a frame with origin "https://staticxx.facebook.com". The frame being accessed set "document.domain" to "facebook.com", but the frame requesting access did not. Both must set "document.domain" to the same value to allow access.

这是我们的init函数：

Here is our init function:

        init: function(options) {
            var facebookUrl, scriptInclude;
            Facebook.baseHost = options.baseHost;
            if (typeof FB !== "undefined" && FB !== null) {
                return Facebook.setup();
            } else {
                if (options.appId == null) {
                    throw 'Facebook: cannot init without appId';
                }
                window.fbAsyncInit = function() {
                    FB.init({
                        appId: options.appId,
                        version    : 'v2.3',
                        channelUrl: options.channelUrl || ("" + document.location.protocol + "//" + document.location.host + "/channel.html"),
                        status: true,
                        cookie: false,
                        xfbml: false,
                        oauth: true
                    });
                    return Facebook.setup();
                };
                $('body').append('<div id="fb-root"></div>');
                facebookUrl = "//connect.facebook.net/" + (Facebook.getLocaleFacebookSupports(Social.SETTINGS.fbLocale)) + "/sdk.js";
                scriptInclude = "<script type=\"text/javascript\" async=\"true\" src=\"" + facebookUrl + "\"></script>";
                return $('#fb-root').append(scriptInclude);
            }
        }

我的问题，为什么我们只收到此错误iOS设备和版本10.3？

My question, why are we only getting this error on iOS devices and versions 10.3?

推荐答案

我也遇到了这个问题，在挖掘它之后似乎是一个bug浏览器的自动填充：发送到我们的日志记录集群的堆栈跟踪如下所示：

I ran into this issue as well, and after digging around it seems to be a bug in the browser's autofill: the stacktrace that is send to our logging cluster looks as followed:

g@https://example.com:5:190, 
g@https://example.com:7:323, 
extractNewForms@https://example.com:13:37, 
extractForms@https://example.com:8:381, 
global code@https://example.com:1:98

正如您所看到的，错误发生在 extractForms 函数中的某个位置，对于我们来说，它在代码库中的任何位置都不存在。谷歌搜索显示， extractForms 和 extractNewForms 都是浏览器自动填充库的一部分，而线程这里表示存在错误（评论12和15最多）与你的问题相关）。

As you can see, the error happens somewhere in an extractForms function, which (for us) doesn't exist anywhere in the code base. A Google search reveals that both extractForms and extractNewForms are part of the browser's autofill library, and the thread here suggests that there is a bug in there (comments 12 & 15 are most relevant to your issue).

据我所知，这也与Facebook没有特别关系：在我们的日志中，我们看到更多iframe的类似错误，包括来自iframe的iframe （子）域我们控制自己。

As far as I can tell this is also not specifically related to Facebook: in our logs we see similar errors for more iframes, including iframes from (sub)domains we control ourselves.

不幸的是我不知道任何修复或解决方法，我也高度怀疑是否（用户土地）修复/解决方法实际上是可能的。我认为你唯一能做的就是忽略这些错误。

Unfortunately I don't know about any fix or workaround, and I also highly doubt if a (user-land) fix/workaround is actually possible. I think the only thing you can do is to ignore these errors.

这篇关于Facebook和Cross Domain Messaging的SecurityError的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！