Page MenuHomePhabricator
Create Task
Maniphest T264245

Error: Permission denied to access property "nodeType"
Closed, ResolvedPublic
Actions

Description

This is the most common error in production however I have no idea where it's coming from, but given the amount of projects and IPs it appears on I don't believe it is originating from user scripts or gadgets.

It's been seen on de.wikipedia, fr.wikipedia, es.wikipedia.org, uk.wikipedia.org, bg.wikipedia.org, it.wikipedia, ja, he, ru,zh, pl, tr, ca, ar, pt

Interestingly there was a few occurances on de.m.wikipedia.org on a desktop browser which limits the modules that could be causing this to various core modules, EventLogging, NavigationTiming and CentralNotice.

Stack trace is not very helpful as it seems to come from within jQuery but points to a problematic event handler:

at jQuery.Event URL1:178:352
at fix URL1:176:320
at jQuery.event.fix URL1:256:903
at dispatch URL1:173:898
at add/elemData.handle URL1:171:388

URL1: https://he.wikipedia.org/w/load.php?lang=he&modules=ext.RevisionSlider.Settings%2ClazyJs%7Cext.centralNotice.geoIP%7Cext.centralauth.ForeignApi%7Cext.centralauth.centralautologin.clearcookie%7Cext.cx.eventlogging.campaigns%7Cext.echo.api%2Cinit%7Cext.eventLogging%2CnavigationTiming%2Cpopups%2Cthanks%2CwikimediaEvents%7Cext.growthExperiments.SuggestedEditSession%7Cext.thanks.corethank%7Cext.uls.common%2Ccompactlinks%2Cinit%2Cinterface%2Cpreferences%2Cwebfonts%7Cjquery%2Coojs%2Coojs-ui-core%2Coojs-ui-windows%2Csite%7Cjquery.client%2Cconfirmable%2Ccookie%2ChighlightText%2Cspinner%2Csuggestions%2CtextSelection%2Ctipsy%2Cui%7Cjquery.spinner.styles%7Cjquery.uls.data%7Cmediawiki.ForeignApi%2CString%2CTitle%2CUri%2Capi%2Cbase%2Ccldr%2Ccookie%2Cexperiments%2CjqueryMsg%2Clanguage%2Cstorage%2Cuser%2Cutil%7Cmediawiki.ForeignApi.core%7Cmediawiki.editfont.styles%7Cmediawiki.libs.pluralruleparser%7Cmediawiki.page.ready%7Cmediawiki.page.watch.ajax%7Cmediawiki.ui.button%7Coojs-ui-windows.icons%7Coojs-ui.styles.icons-movement%7Cskins.vector.legacy.js%7Cuser.defaults%7Cwikibase.client.linkitem.init&skin=vector&version=1p9du

Details

SubjectRepoBranchLines +/-
clientError: Ignore permission denied errors in error trackingmediawiki/extensions/WikimediaEventsmaster+29 -11
Do not log client errors when inside an iframemediawiki/extensions/WikimediaEventsmaster+10 -0
Customize query in gerrit

Related Objects

Event Timeline

Jdlrobson created this task.Sep 30 2020, 9:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 30 2020, 9:22 PM
santhosh subscribed.Oct 5 2020, 5:58 AM
Umherirrender added a project: JavaScript.Oct 5 2020, 4:59 PM
Krinkle subscribed.EditedOct 14 2020, 6:56 PM

This could be caused by someone passing some JS value that isn't a DOM Node to the jQuery constructor and then using event propagation, e.g.

var x =  Math.random();
var y = new Vue();
$( x ).trigger( 'click' );
$( y ).trigger( 'focus' );

Or where the value is a DOM Node reference obtained from a different security context that you can pass around but not inspect, e.g. something from an iframe.

Do the URLs have something in common? E.g. edit page, article views, a special page, etc.

Jdlrobson triaged this task as High priority.Oct 21 2020, 9:07 PM
Jdlrobson added a project: DoNotUse---Instrument-ClientError.
This comment was removed by Jdlrobson.
Jdlrobson added a comment.Oct 21 2020, 9:44 PM

Ignore my last comment I was reading the graph wrong. There is more than 1 IP address with this error.

Krinkle moved this task from Untriaged to Older on the Wikimedia-production-error board.Oct 23 2020, 9:53 PM
Jdlrobson added projects: MediaWiki-extensions-CentralAuth, MediaWiki-User-login-and-signup.EditedNov 20 2020, 10:15 PM

I'm starting to suspect CentralAuth and the login/signup workflow as the module ext.centralauth.centralautologin appears consistently in all the file_urls and would explain why we can't easily replicate the error.

Could somebody who knows the extension check that code?

Update: I think it's possible module may be present for all anons - that may be a red herring - but if so that will tell us this problem only impacts anonymous users.

Krinkle added a comment.Nov 27 2020, 2:59 AM
In T264245#6637786, @Jdlrobson wrote:

I'm starting to suspect CentralAuth and the login/signup workflow as the module ext.centralauth.centralautologin appears consistently in all the file_urls and would explain why we can't easily replicate the error.
[…]
Update: I think it's possible module may be present for all anons - that may be a red herring - but if so that will tell us this problem only impacts anonymous users.

That's right. This module is loaded unconditionally on all logged-out page loads.

Jdlrobson added a comment.Jan 12 2021, 8:10 PM

At this point I'm still not able to work out where this task originates. My guess is that there's something running Wikipedia in an iframe.
I think if https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikimediaEvents/+/634295 doesn't shed any more light, it probably makes sense to consider this as spam and manually drop any error with the message "Error: Permission denied to access property".

Jdlrobson moved this task from Backlog to Bugs on the MediaWiki-User-Interface board.Jan 12 2021, 11:28 PM
gerritbot added a comment.Jan 29 2021, 1:42 AM

Change 659492 had a related patch set uploaded (by Jdlrobson; owner: Jdlrobson):
[mediawiki/extensions/WikimediaEvents@master] Do not log client errors when in iframe

https://gerrit.wikimedia.org/r/659492

gerritbot added a project: Patch-For-Review.Jan 29 2021, 1:42 AM
Krinkle added a comment.EditedJan 29 2021, 5:40 AM
In T264245#6741298, @Jdlrobson wrote:

At this point I'm still not able to work out where this task originates. My guess is that there's something running Wikipedia in an iframe.
I think if https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikimediaEvents/+/634295 doesn't shed any more light, it probably makes sense to consider this as spam and manually drop any error with the message "Error: Permission denied to access property".

I think you're right. However, I don't think cases where Wikipedia itself is iframed would lead to use receiving permission errors with things that we do inside of that iframe. Rather, a permission error would be seen by the outer context trying to access us, which we wouldn't notice or receive.

Conversely, relevant to us, these kinds errors could happen when JavaScript that runs on our site is in the one creating an iframe (e.g. a gadget using an iframe to show a map or something), and then attempting to access stuff inside of it, which is naturally not allowed and so the code on "our" side is receiving that error.

E.g. when running something like the following from wikipedia.org:

i = document.createElement('iframe')
i.href = 'https://example.org/';
document.body.append(i);
// …
i.contentWindow.document.body.outerHTML

Surprisingly, this actually does not lead to an error in Firefox. Which browser are we seeing this permission error from?

Anyway, I've landed the commit since it seems good practice to also ignore any rare issues that might arise when Wikipedia page views are embedded in an iframe elsewhere on the web.

gerritbot added a comment.Jan 29 2021, 5:59 AM

Change 659492 merged by jenkins-bot:
[mediawiki/extensions/WikimediaEvents@master] Do not log client errors when inside an iframe

https://gerrit.wikimedia.org/r/659492

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.29; 2021-02-02).Jan 29 2021, 6:00 AM
Maintenance_bot removed a project: Patch-For-Review.Jan 29 2021, 6:10 AM
gerritbot added a comment.Feb 16 2021, 8:44 PM

Change 664643 had a related patch set uploaded (by Jdlrobson; owner: Jdlrobson):
[mediawiki/extensions/WikimediaEvents@master] Ignore permission denied errors in error tracking

https://gerrit.wikimedia.org/r/664643

gerritbot added a project: Patch-For-Review.Feb 16 2021, 8:44 PM
Jdlrobson added a comment.Feb 16 2021, 8:44 PM

Anyway, I've landed the commit since it seems good practice to also ignore any rare issues that might arise when Wikipedia page views are embedded in an iframe elsewhere on the web.

Yup this fix had no impact on the number of errors we are seeing here. So as suggested let's ignore any permission denied errors in our logging.

gerritbot added a comment.Mar 1 2021, 6:41 PM

Change 664643 merged by jenkins-bot:
[mediawiki/extensions/WikimediaEvents@master] clientError: Ignore permission denied errors in error tracking

https://gerrit.wikimedia.org/r/664643

Jdlrobson closed this task as Resolved.Mar 1 2021, 6:42 PM
Jdlrobson claimed this task.

Will reopen Thursday if this doesn't have desired effect.

ReleaseTaggerBot edited projects, added MW-1.36-notes (1.36.0-wmf.33; 2021-03-02); removed MW-1.36-notes (1.36.0-wmf.29; 2021-02-02).Mar 1 2021, 7:00 PM
Maintenance_bot removed a project: Patch-For-Review.Mar 1 2021, 7:10 PM
AlexisJazz mentioned this in T309909: Error: Permission denied to access property "nodeType" when pressing Ctrl+F while editing (Firefox).Jun 4 2022, 3:18 AM
Aklapper edited projects, added Instrument-ClientError; removed DoNotUse---Instrument-ClientError.Nov 24 2022, 1:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL