DevTools: Improve browser extension iframe support

[omarsy]

Fixes #18945

Summary

Correct the issue caused by this PR #19827

Test Plan

[omarsy]

I handle now the case if we don't have __REACT_DEVTOOLS_GLOBAL_HOOK__ in the parent window

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit ae0bd28:

Sandbox	Source
React	Configuration

[sizebot]

No significant bundle size changes to report.

Size changes (experimental)

Generated by 🚫 dangerJS against ae0bd28

[sizebot]

No significant bundle size changes to report.

Size changes (stable)

Generated by 🚫 dangerJS against ae0bd28

[bvaughn]

Looks like these changes fix the dev shell regression 👍

So I guess they're good to move forward with.

[omarsy]

Thank you @bvaughn !

[StanislavMayorov]

@omarsy I've built the extension from master 97625272a, but react devtools doesn't work with iframe. Is it required any extra configuration in my project?
I use different origins for iframe and main app. Web app is started from localhost:3333 and iframe app from localhost:3001.

[omarsy]

@StanislavMayorov No you need any extra configuration. Can I see your code ? What kind of iframe do you use (sandbox or not) ?

[omarsy]

Your previous devtool work with iframe if you add if you add this code in your iframe

<script type="text/javascript">
      // Enable DevTools to inspect React inside of an <iframe>	
      // This must run before React is loaded	
      __REACT_DEVTOOLS_GLOBAL_HOOK__ = parent.__REACT_DEVTOOLS_GLOBAL_HOOK__;	
    </script>
``` ?

[StanislavMayorov]

I don't have a demo that I can share right now. That's sandbox attr.

<iframe
   sandbox="allow-forms allow-same-origin allow-scripts allow-popups"
 />

[StanislavMayorov]

Your previous devtool work with iframe if you add if you add this code in your iframe

<script type="text/javascript">
      // Enable DevTools to inspect React inside of an <iframe>	
      // This must run before React is loaded	
      __REACT_DEVTOOLS_GLOBAL_HOOK__ = parent.__REACT_DEVTOOLS_GLOBAL_HOOK__;	
    </script>
``` ?

No, It didn't work for my app.

[omarsy]

In the case of the sandbox we cannot always access the parent's window (blocked by the browser for security reasons), that's why it doesn't work. My fix allows this script

<script type="text/javascript">
      // Enable DevTools to inspect React inside of an <iframe>	
      // This must run before React is loaded	
      __REACT_DEVTOOLS_GLOBAL_HOOK__ = parent.__REACT_DEVTOOLS_GLOBAL_HOOK__;	
    </script>

to be done automatically. But this does not solve the problem of the sandbox. Maybe we can solve the case of sandboxed iframes but I think it is necessary to make a big refactoring and at the security level it remains a big question mark.

[StanislavMayorov]

I think it doesn't have access to window.parent.__REACT_DEVTOOLS_GLOBAL_HOOK__. But redux dev works fine.

The extension (version 97625272a) crashes If I remove sandbox attribute. Current released version doesn't crash, it just doesn't show components.

[StanislavMayorov]

I tried to reproduce the crash using a demo app, but it works okay with different origins. I couldn't find out what is the reason of crash in my app. I tested that sandbox attr doesn't affect the crash in my app.

[omarsy]

Perhaps you have an iframe or ( main window) element in your props ? In this case, when we try to dehydrate the props, it causes this issue.
If you add a debbuger in this line you can see which props causes the issue. Thank you for your screen

react/packages/react-devtools-shared/src/utils.js

Line 614 in 4ead6b5

if (data != null && hasOwnProperty.call(data, meta.type)) {

[omarsy]

@bvaughn I think it’s not related to my merge. I can reproduce it.
https://codesandbox.io/s/modest-moser-jg9x9?file=/src/index.js
Just need a confirmation @StanislavMayorov to see which prop causes this issue.
I can push a PR for this issue (security crash) if you want

[StanislavMayorov]

I don't have crash in this demo.

@bvaughn I think it’s not related to my merge. I can reproduce it.
https://codesandbox.io/s/modest-moser-jg9x9?file=/src/index.js

I'll check props as I know there is no element.

[omarsy]

I don't have crash in this demo.

Try to inspect the App

[StanislavMayorov]

@omarsy I just open your app and see error, even without react devtools.

But I have following steps in my app:

• open app
• inspect iframe react component

result: it fails with error.

[omarsy]

Yes, normally if it was due to my change it would have crashed before the inspect (because we do several treatments with the window). I think you have a window in one of your props. I think i can have a PR for this issue

[bvaughn]

If you are confident that the crash is not related to the previous iframe change, then you can submit a PR that reverts my revert.

[StanislavMayorov]

I can check current version with reverted PR.

[bvaughn]

@StanislavMayorov You good to build and test this locally? (Let me know if you need me to build and attach a version here.)

[omarsy]

With the reverted PR you cannot inspect 'iframe react component' I think. We need to give you a quick fix for the window security crash + iframe support

[bvaughn]

Couldn't you add the pass through (like in our fixtures) to test with the reverted DT?

react/fixtures/devtools/regression/16.7.html

Lines 8 to 12 in 6eca8ef

	<script type="text/javascript">
	// Enable DevTools to inspect React inside of an <iframe>
	// This must run before React is loaded
	__REACT_DEVTOOLS_GLOBAL_HOOK__ = parent.__REACT_DEVTOOLS_GLOBAL_HOOK__;
	</script>

[omarsy]

@bvaughn for this issue https://codesandbox.io/s/modest-moser-jg9x9?file=/src/index.js. Can I submit a PR ?

[bvaughn]

Sorry @omarsy but I don't have time to dig into this at the moment. Please feel free to submit a PR if you think it's appropriate :)

[StanislavMayorov]

Couldn't you add the pass through (like in our fixtures) to test with the reverted DT?

react/fixtures/devtools/regression/16.7.html

Lines 8 to 12 in 6eca8ef

	<script type="text/javascript">
	// Enable DevTools to inspect React inside of an <iframe>
	// This must run before React is loaded
	__REACT_DEVTOOLS_GLOBAL_HOOK__ = parent.__REACT_DEVTOOLS_GLOBAL_HOOK__;
	</script>

Okay, I have this changes in my app. I will test it. Should I use this version?

@StanislavMayorov You good to build and test this locally? (Let me know if you need me to build and attach a version here.)

I have already built it using these steps https://github.com/facebook/react/tree/master/packages/react-devtools-extensions#build-from-source

[omarsy]

Okay, I have this changes in my app. I will test it. Should I use this version?

Yes I think you can use it

[StanislavMayorov]

I tested this version and added __REACT_DEVTOOLS_GLOBAL_HOOK__ = parent.__REACT_DEVTOOLS_GLOBAL_HOOK__; in html.

There's no error on inspector click, but react inspector doesn't work. It throw only an error on start: Blocked a frame with origin "http://localhost:3002" from accessing a cross-origin frame. on script in html.
Inspector works fine if I test with disabled CORS in chrome.

[omarsy]

__REACT_DEVTOOLS_GLOBAL_HOOK__ = parent.__REACT_DEVTOOLS_GLOBAL_HOOK__; react inspector should work if you add this.

[StanislavMayorov]

__REACT_DEVTOOLS_GLOBAL_HOOK__ = parent.__REACT_DEVTOOLS_GLOBAL_HOOK__; react inspector should work if you add this.

Iframe app doesn't have access to parent.__REACT_DEVTOOLS_GLOBAL_HOOK__;

I use different origins for iframe and main app. Web app is started from localhost:3333 and iframe app from localhost:3001.

[omarsy]

What you say :
this __REACT_DEVTOOLS_GLOBAL_HOOK__ = parent.__REACT_DEVTOOLS_GLOBAL_HOOK__; causes crash in start and with my version it causes a crash when you try to inspect the iframe ?

[omarsy]

So I think this PR is the reason of crash.

What I'm saying is in the stacktrace, you can see that we have the issue when trying to desyhdrate props. So my understanding is that you should have a window element in your props because of this but maybe I'm wrong that's why I asked you to put in a debugger to see which props were causing the issue If you add a debbuger in this line you can see which props causes the issue. .

Well I'll stop investigating as I can see I'm not getting anywhere.

[StanislavMayorov]

What you say :
this __REACT_DEVTOOLS_GLOBAL_HOOK__ = parent.__REACT_DEVTOOLS_GLOBAL_HOOK__; causes crash in start and with my version it causes a crash when you try to inspect the iframe ?

You are right. There are two errors. I missed the error on start in console because react-error-overlay doesn't work at this stage. I update my comment about the test result.

The fix adds script __REACT_DEVTOOLS_GLOBAL_HOOK__ = parent.__REACT_DEVTOOLS_GLOBAL_HOOK__;, but it causes error in case of different origins, doesn't it? That's not good for default behavior.

[StanislavMayorov]

I will try to reproduce and debug props soon. Is it enough just to use build:dev?

[bvaughn]

Is it enough just to use build:dev?

That's fine. If you're testing in Chrome, the fastest way would be to run either "build:chrome" or "build:chrome:dev", e.g.

yarn build:chrome && yarn test:chrome --url=<url-of-your-sandbox>