Possible issue "An attempt was made to break through the security policy of the user agent" in Facebook + Android #21
Description
Hi,
(Disclaimer: I did not had a chance to use your package exactly, but as the code is based on abandoned original fork, there could be a mutual issue. Possibly you can replicate it in your own deployments.)
We found that the package authorization fails for Facebook for some mobile devices. After digging in, it looks that "An attempt was made to break through the security policy of the user agent" is thrown on attempt to read this.popup.location. It got unnoticed for a long time, as:
- it works with desktop browsers
- it works on mobile Safari devices
- it works for Google and LinkedIn
- it fails on Facebook + Android 13 and 14 + Chrome, Opera and Firefox browsers.
This is pretty unclear why such combo is specific and whether this is reproducible for others. We have located a source of the problem, but have no idea how to solve it. Specifically:
Reading this.popup.location in
vue-authenticate-2/src/oauth/popup.js
Line 59 in f81d827
In my case (dgrubelic fork) it is: https://github.com/dgrubelic/vue-authenticate/blob/f4aa8cb9a416842557213edaab19a30085b0a0aa/src/oauth/popup.js#L60C50-L60C69
1. Popup opens - the value `this.popup.location` is "about:blank"
2. Popup navigates to Facebook, exception is thrown and suppressed: "Failed to read a named property from 'Location': Blocked a frame with origin "https://my.dev.domain" from accessing a cross-origin frame."
3. login happens on Facebook
4. ..
5. Popup navigates back to redirectUri (https://my.dev.domain). While it is expected to get redirect URL including query string/hash from `this.popup.location`, an exception is thrown while reading it: "An attempt was made to break through the security policy of the user agent.". The catch suppresses the exception, the window is not closed and authentication stalls.
Does anyone faces the same?