Sentry: Ignore cross-origin SecurityError caused by broken browser autofill on iOS
We are currently seeing a lot of SecurityErrors being reported that are originating from the autofill function of Chrome for iOS.
The exception message usually reads something like:
Blocked a frame with origin "https://www.foo.bar" from accessing a frame with origin "https://4606765.fls.doubleclick.net". Protocols, domains, and ports must match.
This seems to be caused by the injected browser code trying to access forms in an <iframe> with a different origin.
related links:
- http://stackoverflow.com/a/43469069/1478093
- https://bugs.chromium.org/p/chromium/issues/detail?id=590375
Example
sentry.interfaces.Exception content
{
"sentry.interfaces.Exception": {
"exc_omitted": null,
"values": [
{
"stacktrace": {
"has_system_frames": false,
"frames": [
{
"function": "global code",
"abs_path": "https://www.foo.bar/",
"module": "<unknown module>",
"filename": "/",
"post_context": [
"<html>",
" <head>",
" <meta charset=\"utf-8\">",
" <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">",
""
],
"colno": 98,
"in_app": false,
"context_line": "<!DOCTYPE html>",
"lineno": 1
},
{
"function": "extractForms",
"abs_path": "https://www.foo.bar/",
"pre_context": [
" <head>",
" <meta charset=\"utf-8\">",
" <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">",
"",
""
],
"module": "<unknown module>",
"filename": "/",
"post_context": [
"",
"",
" <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">",
" <meta name=\"HandheldFriendly\" content=\"True\"/>",
" <meta name=\"MobileOptimized\" content=\"320\"/>"
],
"colno": 381,
"in_app": false,
"context_line": " <title>Foo Bar</title>",
"lineno": 8
},
{
"function": "extractNewForms",
"abs_path": "https://www.foo.bar/",
"pre_context": [
" <title>Foo Bar</title>",
"",
"",
" <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">",
" <meta name=\"HandheldFriendly\" content=\"True\"/>"
],
"module": "<unknown module>",
"filename": "/",
"post_context": [
" <meta http-equiv=\"cleartype\" content=\"on\"/>",
"",
" <link rel=\"shortcut icon\" href=\"/external_assets/favicons/favicon.ico\" id=\"favicon\" />",
" <link rel=\"apple-touch-icon-precomposed\" sizes=\"57x57\" href=\"/external_assets/favicons/apple-touch-icon-57x57-precomposed.png\" />",
" <link rel=\"apple-touch-icon-precomposed\" sizes=\"72x72\" href=\"/external_assets/favicons/apple-touch-icon-72x72-precomposed.png\" />"
],
"colno": 37,
"in_app": false,
"context_line": " <meta name=\"MobileOptimized\" content=\"320\"/>",
"lineno": 13
},
{
"function": "g",
"abs_path": "https://www.foo.bar/",
"pre_context": [
"<html>",
" <head>",
" <meta charset=\"utf-8\">",
" <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">",
""
],
"module": "<unknown module>",
"filename": "/",
"post_context": [
" <title>Foo Bar</title>",
"",
"",
" <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">",
" <meta name=\"HandheldFriendly\" content=\"True\"/>"
],
"colno": 323,
"in_app": false,
"context_line": "",
"lineno": 7
},
{
"function": "g",
"abs_path": "https://www.foo.bar/",
"pre_context": [
"<!DOCTYPE html>",
"<html>",
" <head>",
" <meta charset=\"utf-8\">"
],
"module": "<unknown module>",
"filename": "/",
"post_context": [
"",
"",
" <title>Foo Bar</title>",
"",
""
],
"colno": 190,
"in_app": false,
"context_line": " <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">",
"lineno": 5
}
],
"frames_omitted": null
},
"mechanism": null,
"type": "SecurityError",
"module": null,
"thread_id": null,
"value": "Blocked a frame with origin \"https://www.foo.bar\" from accessing a frame with origin \"https://4606765.fls.doubleclick.net\". Protocols, domains, and ports must match.",
"raw_stacktrace": null
}
]
}
}
I would like to propose adding this kind of exception to the BrowserExtensionsFilter. I can try to add the filtering code myself, but I would need some guidance on how you would like me to filter for this kind of exception (e.g. filter everything where first frame has function: 'global code'?)
Turbo87
All 4 comments
Is it possible to ignore this error for now by using ignoreErrors ?
ref. https://forum.sentry.io/t/ignoreerrors-regex-not-removing-error-from-sentry/1528
tkybpp
on 24 May 2017
Right now I just use this:
ignoreErrors: [
// Error generated by a bug in auto-fill library from browser
// https://github.com/getsentry/sentry/issues/5267
/Blocked a frame with origin/,
]
PikachuEXE
on 24 May 2017
@PikachuEXE Thanks! I'll try.
tkybpp
on 24 May 2017
Closing this issue due to staleness. Feel free to comment here if you think we should still work on this.
BYK
on 21 Oct 2020
Related issues
dcramer
路
4Comments
chavlin
路
3Comments
codekitchen
路
3Comments
campbellita
路
3Comments
jiankunking
路
3Comments
Most helpful comment
Right now I just use this: