Javascript error: same origin policy

[Silther]

Description

I get an error from my browser that Gitea tried to access forbidden elements to to SOP

Gitea Version

1.21.1 (-rootless)

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

Git Version

No response

Operating System

No response

How are you running Gitea?

portainer stack

Database

SQLite

[wxiaoguang]

It looks like you embedded something strange (not the same origin) into the page.

[Silther]

It looks like you embedded something strange (not the same origin) into the page.

Lol, that should only be a grafical bug of bitwaden.
The same javascript error also happens on the demo website

But will test it with disabled bitwarden.

[wxiaoguang]

Lol, that should only be a grafical bug of bitwaden. The same javascript error also happens on the demo website

But will test it with disabled bitwarden.

Could you help to provide the embedded HTML (bitwarden or something else)? Then we can make Gitea ignore these non-same origin resources, then there will be no error anymore.

[Silther]

You were correct, it is Bitwarden, still strange that it only happens in firefox (and not in chrome), they are probably more strict.

Could you help to provide the embedded HTML (bitwarden or something else)? Then we can make Gitea ignore these non-same origin resources, then there will be no error anymore.

how can I do that?

[Silther]

<head title="Bitwarden auto-fill menu button">
<title>Bitwarden overlay button</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="color-scheme" content="normal">
<script defer="defer" src="../overlay/button.js">
</script><link href="../overlay/button.css" rel="stylesheet">
</head><body>
<autofill-overlay-button>
</autofill-overlay-button>
</body>

[wxiaoguang]

how can I do that?

Could you also try to figure out the outer iframe code?

ps: I proposed a fix #29081.

[Silther]

Could you also try to figure out the outer iframe code?

<iframe style="border-block: initial !important; border-inline: initial !important; border-start-start-radius: initial !important; border-start-end-radius: initial !important; border-end-start-radius: initial !important; border-end-end-radius: initial !important; overflow-block: initial !important; overflow-inline: initial !important; overscroll-behavior-block: initial !important; overscroll-behavior-inline: initial !important; margin-block: initial !important; margin-inline: initial !important; scroll-margin-block: initial !important; scroll-margin-inline: initial !important; padding-block: initial !important; padding-inline: initial !important; scroll-padding-block: initial !important; scroll-padding-inline: initial !important; inset-block: initial !important; inset-inline: initial !important; block-size: initial !important; min-block-size: initial !important; max-block-size: initial !important; inline-size: initial !important; min-inline-size: initial !important; max-inline-size: initial !important; contain-intrinsic-block-size: initial !important; contain-intrinsic-inline-size: initial !important; background: transparent !important; background-blend-mode: initial !important; border: medium !important; border-radius: initial !important; box-decoration-break: initial !important; -moz-float-edge: initial !important; display: block !important; position: fixed !important; float: initial !important; clear: initial !important; vertical-align: initial !important; baseline-source: initial !important; overflow: hidden !important; overflow-anchor: initial !important; transform: initial !important; rotate: initial !important; scale: initial !important; translate: initial !important; offset: initial !important; scroll-behavior: initial !important; scroll-snap-align: initial !important; scroll-snap-type: initial !important; scroll-snap-stop: initial !important; overscroll-behavior: initial !important; isolation: initial !important; break-after: initial !important; break-before: initial !important; break-inside: initial !important; resize: initial !important; perspective: initial !important; perspective-origin: initial !important; backface-visibility: initial !important; transform-box: initial !important; transform-style: initial !important; transform-origin: initial !important; contain: initial !important; container: initial !important; appearance: initial !important; -moz-orient: initial !important; will-change: initial !important; shape-image-threshold: initial !important; shape-margin: initial !important; shape-outside: initial !important; touch-action: initial !important; -webkit-line-clamp: initial !important; scrollbar-gutter: initial !important; columns: initial !important; column-fill: initial !important; column-rule: initial !important; column-span: initial !important; content: initial !important; counter-increment: initial !important; counter-reset: initial !important; counter-set: initial !important; opacity: 1 !important; box-shadow: initial !important; clip: initial !important; filter: initial !important; backdrop-filter: initial !important; mix-blend-mode: initial !important; font-family: initial !important; font-style: initial !important; font-variant: initial !important; font-weight: initial !important; font-size: initial !important; font-size-adjust: initial !important; font-synthesis: initial !important; font-stretch: initial !important; font-kerning: initial !important; font-feature-settings: initial !important; font-variation-settings: initial !important; font-language-override: initial !important; font-optical-sizing: initial !important; font-palette: initial !important; math-depth: initial !important; math-style: initial !important; line-height: 0 !important; visibility: visible !important; writing-mode: initial !important; text-orientation: initial !important; print-color-adjust: initial !important; image-rendering: initial !important; image-orientation: initial !important; dominant-baseline: initial !important; text-anchor: initial !important; color-interpolation: initial !important; color-interpolation-filters: initial !important; fill: initial !important; fill-opacity: initial !important; fill-rule: initial !important; shape-rendering: initial !important; stroke: initial !important; stroke-width: initial !important; stroke-linecap: initial !important; stroke-linejoin: initial !important; stroke-miterlimit: initial !important; stroke-opacity: initial !important; stroke-dasharray: initial !important; stroke-dashoffset: initial !important; clip-rule: initial !important; marker: initial !important; paint-order: initial !important; border-collapse: initial !important; empty-cells: initial !important; caption-side: initial !important; border-spacing: initial !important; color: initial !important; text-transform: initial !important; hyphens: initial !important; -moz-text-size-adjust: initial !important; text-indent: initial !important; overflow-wrap: initial !important; word-break: initial !important; text-justify: initial !important; text-align-last: initial !important; text-align: initial !important; letter-spacing: initial !important; word-spacing: initial !important; white-space: initial !important; text-shadow: initial !important; text-emphasis: initial !important; text-emphasis-position: initial !important; tab-size: initial !important; line-break: initial !important; -webkit-text-fill-color: initial !important; -webkit-text-stroke: initial !important; ruby-align: initial !important; ruby-position: initial !important; text-combine-upright: initial !important; text-rendering: initial !important; text-underline-offset: initial !important; text-underline-position: initial !important; text-decoration-skip-ink: initial !important; hyphenate-character: initial !important; forced-color-adjust: initial !important; -webkit-text-security: initial !important; text-wrap: initial !important; cursor: initial !important; pointer-events: auto !important; -moz-user-input: initial !important; -moz-user-modify: initial !important; -moz-user-focus: initial !important; caret-color: initial !important; accent-color: initial !important; color-scheme: normal !important; scrollbar-color: initial !important; list-style: initial !important; quotes: initial !important; margin: 0px !important; overflow-clip-margin: initial !important; scroll-margin: initial !important; outline: initial !important; outline-offset: initial !important; page: initial !important; padding: 0px !important; scroll-padding: initial !important; top: 191px !important; right: initial !important; bottom: initial !important; left: 1258px !important; z-index: 2147483647 !important; flex-flow: initial !important; place-content: initial !important; place-items: initial !important; flex: initial !important; place-self: initial !important; order: initial !important; height: 23px !important; min-height: initial !important; max-height: initial !important; width: 23px !important; min-width: initial !important; max-width: initial !important; box-sizing: initial !important; object-fit: initial !important; object-position: initial !important; grid-area: initial !important; grid: initial !important; gap: initial !important; aspect-ratio: initial !important; contain-intrinsic-size: initial !important; vector-effect: initial !important; stop-color: initial !important; stop-opacity: initial !important; flood-color: initial !important; flood-opacity: initial !important; lighting-color: initial !important; mask-type: initial !important; clip-path: none !important; mask: initial !important; x: initial !important; y: initial !important; cx: initial !important; cy: initial !important; rx: initial !important; ry: initial !important; r: initial !important; d: initial !important; table-layout: initial !important; text-overflow: initial !important; text-decoration: initial !important; ime-mode: initial !important; scrollbar-width: initial !important; user-select: initial !important; -moz-window-dragging: initial !important; -moz-force-broken-image-icon: initial !important; transition: opacity 125ms ease-out 0s !important; animation: initial !important; animation-composition: initial !important; -moz-box-align: initial !important; -moz-box-direction: initial !important; -moz-box-flex: initial !important; -moz-box-orient: initial !important; -moz-box-pack: initial !important; -moz-box-ordinal-group: initial !important;" src="moz-extension:https://793d5cb5-c1d6-49a3-afff-c1428f2b4086/overlay/button.html" title="Bitwarden auto-fill menu button" sandbox="allow-scripts" allowtransparency="true" tabindex="-1">
</iframe><div role="status" aria-live="polite" aria-atomic="true" style="position: absolute !important; top: -9999px !important; left: -9999px !important; width: 1px !important; height: 1px !important; overflow: hidden !important; opacity: 0 !important; pointer-events: none !important;">Bitwarden auto-fill menu available. Press the down arrow key to select.</div>

that doesn't seem right

[Silther]

was not able to copy it directly

[Silther]

ps: I proposed a fix #29081.

when ready I could test it with a rootless docker image

[silverwind]

ps: I proposed a fix #29081.

when ready I could test it with a rootless docker image

We can't do builds for pull requests, so you'd have to build from source and run that.

What are the minimal steps to reproduce? Just install the Bitwarden extension and open Gitea? Any specific settings made in the extension?

[Silther]

What are the minimal steps to reproduce? Just install the Bitwarden extension and open Gitea? Any specific settings made in the extension?

it has to firefox, but I think that's all,

[silverwind]

Odd, because I'm also a Bitwarden user on Firefox and have never seen this error. There must be something different about your setup.

[Silther]

maybe some bitwarden settings?

[silverwind]

My extension does not have this "Show auto-fill menu on form fields" option, maybe that is causing the iframe? Try toggling it off. What's the version of your extension? Mine is 2024.1.1.

[Silther]

Mine is 2024.1.1.

mine too
that's strange as this feature was released a while ago (auto-fill-menu)

[silverwind]

As per this the feature is only enabled for Bitwarden Cloud users, which I'm not 😆.

[Silther]

I like bitwarden, but decisions like that, I just cannot understand.

Should I create a test Bitwarden account and send the credentials to you?

[silverwind]

No, it's fine. #29081 will fix it, one way or another.

[wxiaoguang]

ps: I proposed a fix #29081.

when ready I could test it with a rootless docker image

1.21 nightly is ready by #29089

[Silther]

1.21 nightly is ready by #29089

Will set up a new docker shortly

[Silther]

with the nightly docker it works perfectly

how long is the release cycle for the stable (latest) version?

[silverwind]

It's not a fixed cycle, but I would expect 1.21.6 in around maybe 1-2 weeks.

[Silther]

nice,
thanks for the fast fix

[github-actions]

Automatically locked because of our CONTRIBUTING guidelines