From 4db9782d1278a2b7235ed48162ccedf0e0952113 Mon Sep 17 00:00:00 2001 From: Yun Feng Date: Fri, 6 Jun 2025 20:23:27 +0800 Subject: [PATCH 01/70] fix: CI hangs forever in the yarn [4/4] Building fresh packages... (#1696) * fix: CI hang forever in the yarn [4/4] Building fresh packages... --- .changeset/rich-scissors-hide.md | 2 ++ .github/workflows/ci-cd.yml | 12 ++++++++---- .github/workflows/release.yml | 2 ++ .github/workflows/style-check.yml | 6 ++++++ 4 files changed, 18 insertions(+), 4 deletions(-) create mode 100644 .changeset/rich-scissors-hide.md diff --git a/.changeset/rich-scissors-hide.md b/.changeset/rich-scissors-hide.md new file mode 100644 index 00000000..a845151c --- /dev/null +++ b/.changeset/rich-scissors-hide.md @@ -0,0 +1,2 @@ +--- +--- diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index cb43a726..f51b6283 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -25,6 +25,8 @@ jobs: - name: Install Dependencies run: yarn install --frozen-lockfile + env: + PUPPETEER_DOWNLOAD_BASE_URL: 'https://storage.googleapis.com/chrome-for-testing-public' - name: Build Project run: NODE_OPTIONS='--max-old-space-size=4096' yarn build:all @@ -39,10 +41,12 @@ jobs: - name: Check bundle sizes uses: preactjs/compressed-size-action@v2 with: - install-script: "yarn install --frozen-lockfile" - build-script: "build:all" - compression: "none" - pattern: "**/dist/*.{js,cjs,mjs,css}" + install-script: 'yarn install --frozen-lockfile' + build-script: 'build:all' + compression: 'none' + pattern: '**/dist/*.{js,cjs,mjs,css}' + env: + PUPPETEER_SKIP_DOWNLOAD: true - name: Upload diff images to GitHub uses: actions/upload-artifact@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5ba49c81..a3515213 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,6 +22,8 @@ jobs: - name: Install Dependencies run: yarn install --frozen-lockfile + env: + PUPPETEER_SKIP_DOWNLOAD: true - name: Create Release Pull Request or Publish to npm id: changesets diff --git a/.github/workflows/style-check.yml b/.github/workflows/style-check.yml index 4dfb4340..a37b1a45 100644 --- a/.github/workflows/style-check.yml +++ b/.github/workflows/style-check.yml @@ -21,6 +21,8 @@ jobs: cache: 'yarn' - name: Install Dependencies run: yarn install --frozen-lockfile + env: + PUPPETEER_SKIP_DOWNLOAD: true - name: Build Packages run: NODE_OPTIONS='--max-old-space-size=4096' yarn build:all - name: Eslint Check @@ -72,6 +74,8 @@ jobs: cache: 'yarn' - name: Install Dependencies run: yarn install --frozen-lockfile + env: + PUPPETEER_SKIP_DOWNLOAD: true - name: Prettier Check run: yarn prettier --check '**/*.{ts,md}' @@ -94,6 +98,8 @@ jobs: cache: 'yarn' - name: Install Dependencies run: yarn install --frozen-lockfile + env: + PUPPETEER_SKIP_DOWNLOAD: true - name: Prettify Code run: yarn prettier --write '**/*.{ts,md}' - name: Commit Changes From fc390a954c4fc17fe2ee0e2b6edba634611349e0 Mon Sep 17 00:00:00 2001 From: Yun Feng Date: Tue, 5 Aug 2025 00:45:57 -0700 Subject: [PATCH 02/70] fix: rrweb recorder may throw error when stopping recording after an iframe becomes cross-origin (#1695) * fix: rrweb recorder may throw error when stopping recording after an iframe becomes cross-origin * add change set * add failure message check * Update packages/rrweb/src/record/index.ts Co-authored-by: Eoghan Murray * remove settimeout --------- Co-authored-by: Eoghan Murray --- .changeset/nervous-actors-jam.md | 5 +++++ packages/rrweb/src/record/index.ts | 20 +++++++++++++++++++- packages/rrweb/test/record.test.ts | 21 +++++++++++++++++++++ 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 .changeset/nervous-actors-jam.md diff --git a/.changeset/nervous-actors-jam.md b/.changeset/nervous-actors-jam.md new file mode 100644 index 00000000..641eff87 --- /dev/null +++ b/.changeset/nervous-actors-jam.md @@ -0,0 +1,5 @@ +--- +"rrweb": patch +--- + +fix: rrweb recorder may throw error when stopping recording after an iframe becomes cross-origin diff --git a/packages/rrweb/src/record/index.ts b/packages/rrweb/src/record/index.ts index 1308c378..65da8ec8 100644 --- a/packages/rrweb/src/record/index.ts +++ b/packages/rrweb/src/record/index.ts @@ -617,7 +617,25 @@ function record( ); } return () => { - handlers.forEach((h) => h()); + handlers.forEach((handler) => { + try { + handler(); + } catch (error) { + const msg = String(error).toLowerCase(); + /** + * https://github.com/rrweb-io/rrweb/pull/1695 + * This error can occur in a known scenario: + * If an iframe is initially same-origin and observed, but later its + location is changed in an opaque way to a cross-origin URL (perhaps within the iframe via its `document.location` or a redirect) + * attempting to execute the handler in the stop record function will + throw a "cannot access cross-origin frame" error. + * This error is expected and can be safely ignored. + */ + if (!msg.includes('cross-origin')) { + console.warn(error); + } + } + }); processedNodeManager.destroy(); recording = false; unregisterErrorHandler(); diff --git a/packages/rrweb/test/record.test.ts b/packages/rrweb/test/record.test.ts index cfba2b46..1caabb4b 100644 --- a/packages/rrweb/test/record.test.ts +++ b/packages/rrweb/test/record.test.ts @@ -990,6 +990,27 @@ describe('record', function (this: ISuite) { await assertSnapshot(ctx.events); }); + + it('does not throw error when stopping recording after iframe becomes cross-origin', async () => { + await ctx.page.evaluate(async () => { + const { record } = (window as unknown as IWindow).rrweb; + const stopRecord = record({ + emit: (window as unknown as IWindow).emit, + }); + const iframe = document.createElement('iframe'); + (window as any).stopRecord = stopRecord; + (window as any).iframe = iframe; + document.body.appendChild(iframe); + }); + await waitForRAF(ctx.page); + await ctx.page.evaluate(async () => { + (window as any).iframe.src = 'https://www.example.com'; // Change the same origin iframe to a cross origin iframe after it's recorded + }); + await waitForRAF(ctx.page); + await ctx.page.evaluate(() => { + (window as any).stopRecord?.(); + }); + }); }); describe('record iframes', function (this: ISuite) { From 0bceef6a15ca72b1f6a94a98d0e4a72d5a021eb3 Mon Sep 17 00:00:00 2001 From: Rotem Reiss Date: Tue, 5 Aug 2025 11:28:23 +0300 Subject: [PATCH 03/70] Create SECURITY.md (#1719) * Create SECURITY.md * Format fix * Update SECURITY.md * Update SECURITY.md * Update SECURITY.md Co-authored-by: Paul D'Ambra * Update SECURITY.md mention the google group is private * Update SECURITY.md * Update SECURITY.md formatting --------- Co-authored-by: Yun Feng Co-authored-by: Paul D'Ambra Co-authored-by: Eoghan Murray --- SECURITY.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..130691bc --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,15 @@ +# Vulnerability Disclosure Policy + +This document outlines rrweb's vulnerability disclosure policy. + +## Reporting a Vulnerability + +Please do not report security vulnerabilities through public GitHub issues. +Instead, please report them to our GitHub Security page. If you prefer to submit one without using GitHub, you can also email the +private Google Group rrweb-security@googlegroups.com, which will go to the core team members only. We commit to acknowledging +vulnerability reports and will work to fix active vulnerabilities as soon as we can (noting this is a community run project). + +We will publish resolved vulnerabilities as security advisories on our GitHub security page. + +We appreciate your help in making rrweb more secure for everyone. +Thank you for your support and responsible disclosure. From f2419f2513e9ad3ea597e2b5a4463a4fbf74868f Mon Sep 17 00:00:00 2001 From: Meg Boehlert <76970479+megboehlert@users.noreply.github.com> Date: Fri, 5 Sep 2025 05:12:27 -0400 Subject: [PATCH 04/70] Use node.baseURI for stringifying stylesheet hrefs (#1705) --- .changeset/lucky-trainers-joke.md | 5 +++ packages/rrweb-snapshot/src/utils.ts | 4 +- packages/rrweb-snapshot/test/utils.test.ts | 45 ++++++++++++++++++++++ 3 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 .changeset/lucky-trainers-joke.md diff --git a/.changeset/lucky-trainers-joke.md b/.changeset/lucky-trainers-joke.md new file mode 100644 index 00000000..a91920d3 --- /dev/null +++ b/.changeset/lucky-trainers-joke.md @@ -0,0 +1,5 @@ +--- +"rrweb-snapshot": patch +--- + +use ownerNode.baseURI for stringifying sheet hrefs diff --git a/packages/rrweb-snapshot/src/utils.ts b/packages/rrweb-snapshot/src/utils.ts index 102787c6..418ce823 100644 --- a/packages/rrweb-snapshot/src/utils.ts +++ b/packages/rrweb-snapshot/src/utils.ts @@ -118,9 +118,9 @@ export function stringifyStylesheet(s: CSSStyleSheet): string | null { return null; } let sheetHref = s.href; - if (!sheetHref && s.ownerNode && s.ownerNode.ownerDocument) { + if (!sheetHref && s.ownerNode) { // an inline