Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clerk's use of localStorage is not safe enough #5016

Open
4 tasks done
tmcw opened this issue Jan 27, 2025 · 1 comment · May be fixed by #5156
Open
4 tasks done

Clerk's use of localStorage is not safe enough #5016

tmcw opened this issue Jan 27, 2025 · 1 comment · May be fixed by #5156
Assignees
@alexcarpenter
Labels
bug Something isn't working

Comments

@tmcw
Copy link

tmcw commented Jan 27, 2025

Preliminary Checks

Reproduction

http://val.town/

Publishable key

pk_test_aHVtb3JvdXMtZGFzc2llLTE4LmNsZXJrLmFjY291bnRzLmRldiQ

Description

Steps to reproduce:

  1. Use Firefox in Private mode, or Android in private mode, or a page that uses Clerk in an iframe with locked-down sandbox permissions

Expected behavior:

Clerk is safe in its usage of localStorage APIs.

Actual behavior:

It isn't, it calls localStorage.getItem and produces an uncaught error.

There is a previous issue about this in the context of expo: #1620

But this isn't safe enough. It's pretty clear from history that localStorage is an 'exploding API' when used in paranoid browser environments: the window exists, maybe localStorage exists, and the method localStorage.getItem exists, but if you call localStorage.getItem() it'll throw an error. Examples from prod:

Image

SecurityError: Failed to read the 'localStorage' property from 'Window': Access is denied for this document.

This can also happen if someone has Firefox with dom.storage.enabled turned off, and many folks do.

See previous discussion here: https://mathiasbynens.be/notes/localstorage-pattern#comment-9 - basically any operations on localstorage should be expected to throw errors in locked-down browser environments.

Environment

System:
    OS: macOS 15.2
    CPU: (8) arm64 Apple M2
    Memory: 104.34 MB / 24.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 22.11.0 - ~/.local/share/mise/installs/node/22.11.0/bin/node
    npm: 10.9.0 - ~/.local/share/mise/installs/node/22.11.0/bin/npm
    bun: 1.0.28 - ~/.bun/bin/bun
    Watchman: 2024.12.02.00 - /opt/homebrew/bin/watchman
  Browsers:
    Chrome: 132.0.6834.110
    Chrome Canary: 134.0.6982.0
    Edge: 132.0.2957.127
    Safari: 18.2
  npmPackages:
@tmcw tmcw added the needs-triage A ticket that needs to be triaged by a team member label Jan 27, 2025
@mateussmohamed
Copy link

same issue

@linear linear bot added bug Something isn't working and removed needs-triage A ticket that needs to be triaged by a team member labels Jan 31, 2025
@alexcarpenter alexcarpenter self-assigned this Feb 13, 2025
@LekoArts LekoArts linked a pull request Feb 21, 2025 that will close this issue
Draft
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexcarpenter alexcarpenter

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refactor(clerk-js): Make use of browser navigator locks property clerk/javascript
3 participants
@tmcw @alexcarpenter @mateussmohamed