[Bug] piwik.js tracker isInsideAnIframe function will always evaluate to false from crossOrigin in chromeΒ #23924
Description
What happened?
For hard sandboxing security reasons, chrome browser always returns null for window.frameElement when embedding a website from a different origin of root (ignoring cross-origin headers or attributes of sort). This causes isInsideAnIframe in piwik.js to fail the check at line 2179
Lines 2179 to 2181 in f6adad1
typeof null will return 'object' causing the if statement to be executed and always return false from Chrome.
What should happen?
I would add an additional check at line 2179 to skip entering the if statement if frameElement is null, so the code can fallthrough to lines
Lines 2183 to 2186 in f6adad1
where the comparison will correctly evaluate detecting when inside an iframe in Chrome.
How can this be reproduced?
- Embed through an iframe a website running the matomo tracking code from a different origin.
- From the iframe browser console observe matomo is not aware of being inside an iframe, window.frameElement always returning null.
(Bonus)
- Cookieless tracking requests fail to be aggregated later on by matomo resulting in matomo creating 2 different visitorId logs, making user journey harder to track.
Matomo version
5.5.2
PHP version
not relevant
Server operating system
not relevant
What browsers are you seeing the problem on?
Chrome
Computer operating system
MacOS 26
Relevant log output
Validations
- Read our Contributing Guidelines.
- Follow our Security Policy.
- Check that there isn't already an issue that reports the same bug to avoid creating duplicates.
- The provided steps to reproduce is a minimal reproducible of the Bug.