Skip to content

Fix iframe communication failure under Chrome strict-origin-isolation #901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
MelvinBot wants to merge 2 commits into
base: main
Choose a base branch
from
+22 −4
Draft

Fix iframe communication failure under Chrome strict-origin-isolation #901

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b4e0495
Fix iframe communication failure under strict-origin-isolation
MelvinBot Mar 12, 2026
1b8b811
Simplify strict-origin-isolation fallback to use '*' targetOrigin
MelvinBot Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 22 additions & 4 deletions lib/jquery.expensifyIframify.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,14 +164,26 @@ export default {
// Sending message from the iFrame to the parent
// Only post a message if this is in an iFrame
if (!postToIframe && window.parent !== window) {
targetOrigin = `${window.parent.location.protocol}//${window.parent.location.hostname}`;
try {
targetOrigin = `${window.parent.location.protocol}//${window.parent.location.hostname}`;
} catch (e) {
// window.parent.location throws SecurityError under strict-origin-isolation.
// Using '*' is safe because handleWindowMessage validates event.origin independently.
targetOrigin = '*';
}
log('posting message to parent', targetOrigin, msg);
window.parent.postMessage(msg, targetOrigin);
}

// Sending message from the parent to the iFrame
if (postToIframe && iframeElement[0].contentWindow) {
targetOrigin = `${iframeElement[0].contentWindow.location.protocol}//${iframeElement[0].contentWindow.location.hostname}`;
try {
targetOrigin = `${iframeElement[0].contentWindow.location.protocol}//${iframeElement[0].contentWindow.location.hostname}`;
} catch (e) {
// contentWindow.location throws SecurityError under strict-origin-isolation.
// Using '*' is safe because handleWindowMessage validates event.origin independently.
targetOrigin = '*';
}
log('posting message to iframe', targetOrigin, msg);
iframeElement[0].contentWindow.postMessage(msg, targetOrigin);
}
Expand Down Expand Up @@ -387,8 +399,14 @@ export default {
const subdomain = domainArray.shift();
const domainWithoutSubdomain = domainArray.join('.');

// There are some browsers that don't support document.domain so we have to manually create it
document.domain = domainWithoutSubdomain;
// Attempt to set document.domain for same-site iframe communication.
// This is blocked when Chrome's strict-origin-isolation flag is enabled
// or when the deprecated document.domain setter is fully removed.
try {
document.domain = domainWithoutSubdomain;
} catch (e) {
// Silently ignore - cross-origin communication will rely on postMessage
}
iframeElement = this; // eslint-disable-line consistent-this

if (!wasInitalized) {
Expand Down
Loading