Uncaught SecurityError when using iframe

[naorye]

When using videoJS inside an iframe, the following code runs and cause an exception:

var hasAutomationEqualityBug = (function () {
    /* global window */
    if (typeof window === 'undefined') { return false; }
    for (var k in window) {
        if (!blacklistedKeys['$' + k] && has.call(window, k) && window[k] !== null && typeof window[k] === 'object') {
            try {
                equalsConstructorPrototype(window[k]);
            } catch (e) {
                return true;
            }
        }
    }
    return false;
}());

The problem is that window.frameElement throwing the following example:

Uncaught SecurityError: Failed to read the 'frame' property from 'Window': Blocked a frame with origin "https://frontend.dev:8001" from accessing a frame with origin "http://frontend.dev:8000".  The frame requesting access has a protocol of "https", the frame being accessed has a protocol of "http". Protocols must match.

[jtwalters]

I have the same problem. Confirmed.

[mmcc]

So the code snippet you're referencing comes from the ES5-shim, but is this really a VJS issue? Trying to access an HTTPS-origin frame from an HTTP-origin frame isn't ever going to work for obvious security reasons. Mind putting up an example?

[gkatsev]

Sounds like frame is another key that es5-shim might need to add to the blacklistedKeys array. See es-shims/es5-shim#322 for reference.

[jtwalters]

@mmcc in my case, the issue is occurring with an https iframe inside a cross-origin, https page. Of course we shouldn't expect it to work, but it's still a bug that is effectively breaking my iframe's JS behavior due to the generated SecurityError.

[gkatsev]

What version of videojs are you using? 5.0? Are you using our ie8 shim?

[jtwalters]

* Video.js 5.0.0 <http://videojs.com/>

I don't believe I'm using any IE8 shim. Not sure how to confirm that.

This SecurityError is with latest stable Google Chrome, BTW.

[gkatsev]

@jtwalters do you have an example?

[jtwalters]

I put together this jsfiddle which will give you a SecurityError viewable in the console.

[jtwalters]

Of course this is an oversimplified example and doesn't actually represent the error that I have.

[gkatsev]

Ah, I think i see where it's coming from. This is from our object.assign module which uses an older version of object-keys which has a newer version which has frameElement blacklisted.
Do you want to put together a PR that updates object.assign to the latest version?

[naorye]

I am using videoJS with npm and require it like this:
var videojs = require(video.js);
I didn't ask to include es5 shim.

[naorye]

Whenever videojs is inside an iframe, I get this error.

Any solution?

[richardbushell]

Yes, me too, same problem. Videojs 5.0.0 produces the security error in Google Chrome, but the security error stops videojs from loading inside an iFrame. A quick fix would be HUGELY appreciated!

[andriidrebot]

Same issue, only in the latest chrome (v 46)

[rickyblaha]

If anyone needs a quick fix in the meantime, modifying this in your own hosted copy of Video.js works for me in Chrome 46:

var hasAutomationEqualityBug = (function () {
  ...
    for (var k in window) {
      if (k === 'frameElement') {
        continue;
      }
      ...
    }
}());

[jemoreno]

@rickyblaha I am using the CDN version of videojs and the quick fix doesn't fix that issue. Did you manually change the video.js file?

[rickyblaha]

@jemoreno, just edited my comment to clarify. Since that is immediately invoked it would need to be changed within the library, so I did make that change on my own CDN-hosted copy.

[gkatsev]

Working on getting this fixed.

[gkatsev]

Waiting on ljharb/object-keys#17

[ljharb]

Also note that the latest versions of es5-shim and object-keys have the blacklisting wrapped with a try/catch, so this should already be "fixed" in the latest version.

That said, thanks for the "frame" PR, as I'd still like to blacklist all throwing keys that I can :-)

[gkatsev]

@ljharb I tried updating to latest object.assign but it still caused problems. Since we're not using es5-shim directly.

[gkatsev]

Oh, removed all of node_modules and reinstalled and it's fixed with latest object.assign. Previously only installed updated version of object.assign.

[richardbushell]

That's great if it's fixed! How long until we can get this in CDN version 5.0.1, or self-hosted release via download (for those of us mortals who can't do a build ourselves)?

[gkatsev]

Hopefully we'll get a fix out tomorrow but don't hold me to that.

[gkatsev]

We have a release available for you to download: https://github.com/videojs/video.js/releases/tag/v5.0.2 (https://github.com/videojs/video.js/tree/v5.0.2/dist) I'll probably push to the CDN on monday.