Skip to content

Fix: wrap cross-origin property access in try/catch in ReactPerforman…#36485

Open
KrishnaVipul14 wants to merge 1 commit into
facebook:mainfrom
KrishnaVipul14:fix/cross-origin-window-performance-tracker
Open

Fix: wrap cross-origin property access in try/catch in ReactPerforman…#36485
KrishnaVipul14 wants to merge 1 commit into
facebook:mainfrom
KrishnaVipul14:fix/cross-origin-window-performance-tracker

Conversation

@KrishnaVipul14
Copy link
Copy Markdown

@KrishnaVipul14 KrishnaVipul14 commented May 17, 2026

Fix SecurityError crash when cross-origin Window is passed as a prop (DEV build)

Summary

Fixes a bug where passing a cross-origin Window object (e.g. iframe.contentWindow
from an iframe with srcDoc="") as a React component prop crashes the entire fiber
tree in DEV builds, making the UI permanently unresponsive.

Problem

In React 19.2 DEV builds, the performance logger (logComponentRender) walks all
component props via addObjectToProperties and addValueToProperties in
ReactPerformanceTrackProperties.js.

When a prop contains a cross-origin Window object, the browser throws a SecurityError
on any property access. Because there was no try/catch, this error escaped the commit
phase and corrupted the work-in-progress fiber tree. Every render after that threw:

Should not already be working.

...and the app became completely frozen — no clicks, no input, nothing worked.

Root Cause

Two unguarded operations in ReactPerformanceTrackProperties.js:

  1. for (const key in object) — throws SecurityError immediately when object is a
    cross-origin Window because property enumeration is blocked by the browser.

  2. Object.getPrototypeOf(value) — also throws SecurityError on cross-origin objects.

Fix

File changed:
packages/react-reconciler/src/ReactPerformanceTrackProperties.js

Change 1 — addObjectToProperties:
Wrapped the for...in loop in a try/catch. If SecurityError is thrown, pushes a
[cross-origin object] placeholder into properties and returns early. Fiber tree
is never touched.

Change 2 — addValueToProperties:
Wrapped Object.getPrototypeOf(value) in a try/catch. If it throws, objectName
silently stays as 'Object' and execution continues normally.

How To Reproduce

  1. Bootstrap a fresh Vite + React 19.2.5 app
  2. Replace App.tsx with:

function App() {
const iframeRef = useRef(null);
const [win, setWin] = useState(null);

useEffect(() => {
setWin(iframeRef.current?.contentWindow ?? null);
}, []);

return (
<>
<iframe ref={iframeRef} srcDoc="

hi

" title="x" />

</>
);
}

function Child({ win }) {
return

{win ? 'has window' : 'no window'}
;
}

  1. Run npm run dev
  2. Page freezes immediately after mount
  3. Console shows SecurityError then Should not already be working

Before This Fix

  • SecurityError thrown inside commit phase
  • Fiber tree left in broken state
  • App permanently frozen after first mount
  • Error message "Should not already be working" is completely misleading

After This Fix

  • Cross-origin objects are safely skipped with a [cross-origin object] placeholder
  • Fiber tree stays intact
  • App renders and works normally
  • DEV performance logger continues working for all normal props

Notes

  • Only DEV builds are affected. Production is completely unaffected.
  • This is NOT related to DevTools extension issue Failed to read a named property from Window : Blocked a frame with origin #29011
  • readReactElementTypeof was already correctly guarded with 'in' check —
    this PR guards the two remaining unprotected call sites in the same file
  • Real world impact: Plotly, Vega, marimo HTML widgets, Jupyter widget
    conversions, embedded notebook editors and dashboards all hit this bug
    when storing Window or DOM refs in component state

Test

Tested manually with Vite + React 19.2.5 in Chrome.
Before patch: app freezes on mount.
After patch: app renders correctly, no errors in console.

@meta-cla
Copy link
Copy Markdown

meta-cla Bot commented May 17, 2026

Hi @KrishnaVipul14!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!

@meta-cla meta-cla Bot added the CLA Signed label May 17, 2026
@meta-cla
Copy link
Copy Markdown

meta-cla Bot commented May 17, 2026

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CLA Signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@KrishnaVipul14