Uncaught TypeError: Cannot read properties of null (reading 'postMessage') in Companion's Callback Endpoint about uppy HOT 10 CLOSED

Hi. does this also happen when you don't use stackblitz? (e.g. local development) i have a theory that it happens because in stackblitz the app runs inside of an iframe

from uppy.

@mifi yes it happens in local development, stackblitz and in production. I forgot to mention I am also using Cloudflare with DNS proxy

from uppy.

ok thanks for clearing that up.

1. Does it happen in all browsers for you?
2. Do you mean that you're using cloudflare with DNS proxy in front of Companion or for the Uppy static code?
3. If so, does it happen if you by-pass cloudflare and connect directly to companion?
4. Does cloudflare forward all headers from companion?
5. Does it happen if you run Companion on localhost and connect to it using local Uppy?

Where is Companion hosted? I don't know how your stackblitz can possibly work because it uses https://example.com/companion

I think it could be related to #4107

from uppy.

also have you set a Cross-Origin-Opener-Policy header?

from uppy.

I can see that Cross-Origin-Opener-Policy: same-origin does get set when running from StackBlitz. So it won't work there.

Having a Cross-Origin-Opener-Policy header with a value of same-origin prevents setting opener. Since the new window is loaded in a different browsing context, it won't have a reference to the opening window.

from https://developer.mozilla.org/en-US/docs/Web/API/Window/opener
​
Are you setting that header when testing locally and in production?

from uppy.

1. Error happens in Chrome/Incognito and Firefox
2. Cloudflare with DNS proxy in front of Both companion and uppy static code.
3. Turning off Cloudlfare DNS proxy causes net::ERR_CERT_AUTHORITY_INVALID when Uppy code communicates with the companion server
4. Headers are pasted as above. I'm unsure how to examine this further
5. Just reproduced the error running Companion on localhost and connecting to it using local Uppy
6. Yes, in production you can see add_header Cross-Origin-Opener-Policy 'unsafe-none' always; in my nginx config pasted above. I haven't tested that locally. Should companion do that by default?

from uppy.

Are the Uppy web-app static files hosted in nginx also (the configuration above)? If not, can you check whether the request to get the webapp HTML has a Cross-Origin-Opener-Policy header in the response? (for example using chrome developer tools Network tab)

from uppy.

No they are hosted by Vercel, or locally in Nuxt3 Nitro server. example.com is a redaction. All headers were being sent.

I think I solved it, the problem was the nuxt-security module I am using:

security: {
    nonce: true,
    corsHandler: {
      origin: process.env.AUTH_BASE_URL,
      methods: "*",
    },
    headers: {
      crossOriginEmbedderPolicy: false,
      contentSecurityPolicy: {
        "script-src-attr": ["'unsafe-hashes'", "'unsafe-inline'"],
        "img-src": false, //["'self'", 'data:'],
        "script-src": [
          "'self'",
          "https:",
          "'unsafe-inline'",
          "'strict-dynamic'",
          "'nonce-{{nonce}}'",
          "'unsafe-eval'",
        ],
      },
    },
  },

The stackblitz same-origin must have been confounding my tests with the Uppy vue template. Thanks for your time @mifi

from uppy.

alright, so Cross-Origin-Opener-Policy: same-origin was the problem, and we close this? I think we should provide a better error message (not just a blank page)

from uppy.

Yes that was the problem. I'll close the issue

from uppy.