window.parent.postMessage blocked even if iframe domain is whitelisted

Description of the issue:
In Netdata, users can access different “Agent” pages, like:
https://newyork.my-netdata.io/
https://london.my-netdata.io/
which share the same single sign-on system, redirecting to https://netdata.cloud/account/sign-in-agent login page. The sign-on domain (netdata[dot]cloud) is then loaded as iframe on individual pages, like *.my-netdata.io, and it reads cookies set during sign-in and send them via window.parent.postMessage.

Unfortunately Brave shield is blocking that communication. Parent pages don’t receive any message from the iframe. It can be solved by switching the Shield setting from “Cross-site cookies blocked” to “All cookies allowed” on individual Agent pages (like newyork.my-netdata.io), but it’s problematic, because users can use even dozens of different pages with single login. It would be better if there was an option to whitelist only netdata[dot]cloud SSO page.

Is blocking of window.parent.postMessage() intentional in this case?

This topic was automatically closed after 30 days. New replies are no longer allowed.