fix(nextjs,backend): Support handshake in iframes #3555
Conversation
🦋 Changeset detectedLatest commit: 203414f The changes in this PR will be included in the next version bump. This PR includes changesets to release 9 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
!snapshot |
|
Hey @anagstef - the snapshot version command generated the following package versions:
Tip: Use the snippet copy button below to quickly install the required packages. npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i [email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact |
| @@ -48,7 +48,7 @@ function isRequestEligibleForHandshake(authenticateContext: { secFetchDest?: str | |||
| const { accept, secFetchDest } = authenticateContext; | |||
|
|
|||
| // NOTE: we could also check sec-fetch-mode === navigate here, but according to the spec, sec-fetch-dest: document should indicate that the request is the data of a user navigation. | |||
| if (secFetchDest === 'document') { | |||
| if (secFetchDest === 'document' || secFetchDest === 'iframe') { | |||
There was a problem hiding this comment.
ℹ️ When document requests happend from inside an iframe the Sec-Fetch-Dest value is set to iframe. Fetch/XHR requests do not use this value.
There was a problem hiding this comment.
I propose exporting a SAFE_SEC_FETCH_DESTS array from shared and then consuming it in backend and nextjs, and just checking SAFE_SEC_FETCH_DESTS.includes(secFetchDest)
| @@ -48,7 +48,7 @@ function isRequestEligibleForHandshake(authenticateContext: { secFetchDest?: str | |||
| const { accept, secFetchDest } = authenticateContext; | |||
|
|
|||
| // NOTE: we could also check sec-fetch-mode === navigate here, but according to the spec, sec-fetch-dest: document should indicate that the request is the data of a user navigation. | |||
| if (secFetchDest === 'document') { | |||
| if (secFetchDest === 'document' || secFetchDest === 'iframe') { | |||
There was a problem hiding this comment.
I propose exporting a SAFE_SEC_FETCH_DESTS array from shared and then consuming it in backend and nextjs, and just checking SAFE_SEC_FETCH_DESTS.includes(secFetchDest)
| @@ -121,6 +121,7 @@ const isServerActionRequest = (req: Request) => { | |||
| const isPageRequest = (req: Request): boolean => { | |||
| return ( | |||
| req.headers.get(constants.Headers.SecFetchDest) === 'document' || | |||
| req.headers.get(constants.Headers.SecFetchDest) === 'iframe' || | |||
There was a problem hiding this comment.
❓ why do we need this as part of this PR? Is this related to the handshake mechanism?
There was a problem hiding this comment.
I believe we need this in order for pages wrapped with protect work properly in the first load via an iframe
There was a problem hiding this comment.
It's not a handshake particular thing, but as @panteliselef said, it will help with protect and iframes.
Co-authored-by: Bryce Kalow <[email protected]>
|
!snapshot |
|
!snapshot |
|
Hey @anagstef - the snapshot version command generated the following package versions:
Tip: Use the snippet copy button below to quickly install the required packages. npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i [email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact |
|
!snapshot |
|
Hey @anagstef - the snapshot version command generated the following package versions:
Tip: Use the snippet copy button below to quickly install the required packages. npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i [email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact
npm i @clerk/[email protected] --save-exact |
This change makes requests that have the `Sec-Fetch-Dest` value set to `iframe` to be eligible for handshake. Co-authored-by: Bryce Kalow <[email protected]>
Description
Adds support for handshake inside iframes.
This PR makes requests that have the
Sec-Fetch-Destvalue set toiframeto be eligible for handshake.Checklist
npm testruns as expected.npm run buildruns as expected.Type of change