Security error when loaded within a nested iframe

Firstly, thanks for this amazing library 🙇! 

📝 Summary:
I currently use this in one of our products and recently discovered an issue when our web app was rendered within a nested iframe (by one of our customers). And when the user tries to start the tour, they get the following error:

```
Uncaught (in promise) SecurityError: Failed to read a named property 'frameElement' from 'Window': Blocked a frame with origin "https://www.shepherdjs.dev" from accessing a cross-origin frame.
```

I was able to reproduce this error by also embedding: `https://www.shepherdjs.dev/` within a nested iframe

<details><summary>📸  Screenshot of the error</summary>

<img width="2112" alt="image" src="https://github.com/user-attachments/assets/4b20ea79-cb64-452d-aa81-b0764e0ffaf6" />

</details> 


🕵️ Steps to reproduce:

- Create 2 `.html` pages (e.g.: `index.html` and `shepherd.html`)
- Make sure these pages are accessible via `localhost:<port>`
- In `index.html`, add an `<iframe src="http://localhost:<port>/shepherd.html" />`
- In `shepherd.html`, add an `<iframe src="https://www.shepherdjs.dev/" />`
- Try clicking on the "Demo" , the tour doesn't start and it errors out with the mentioned iframe security error on the browser console.

When I investigated the code, it seems like it was caused by an issue [here](https://github.com/shipshapecode/shepherd/blob/4875cb30cb031b12ca86442a57dcc88eaa17a13b/shepherd.js/src/components/shepherd-modal.svelte#L239) and in general the browsers block to frames due to the `Same-origin policy`.

Would highly appreciate if any of you folks can help and add pointers to solve this. Thanks 🙏 


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security error when loaded within a nested iframe #3087

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development