fix(clerk-js): Update inCrossOriginIframe to handle nested cross origin iframes

[thiskevinwang]

Description

I've observed the __clerk_db_jwt cookie to fail to be set on the Replit primary site, but successfully set when visiting the preview URL directly.

This aims to fix the former flow by improving our cross origin frame detection to support the following DOM structure

top (replit.com)
- iframe1 (foo.janeway.replit.dev/__iframe.html)
  - iframe2(foo.janeway.replit.dev; Clerk loaded here)

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• Bug Fixes
  • Fixed cross-origin iframe detection to properly handle nested cross-origin iframe scenarios.

[changeset-bot]

🦋 Changeset detected

Latest commit: 36c9a25

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@clerk/clerk-js	Patch
@clerk/chrome-extension	Patch
@clerk/clerk-expo	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Nov 13, 2025 10:23pm

[coderabbitai]

Walkthrough

The pull request adds a changeset entry and updates the inCrossOriginIframe utility function to better detect nested cross-origin iframes. The improved implementation checks if code runs in an iframe, then attempts to access window.top.location.href within a try/catch block to detect cross-origin ancestors, replacing the previous window.frameElement approach.

Changes

Cohort / File(s)	Change Summary
Changeset Documentation .changeset/cute-apes-watch.md	Patch version bump for @clerk/clerk-js documenting a fix for nested cross-origin iframe detection.
Cross-Origin Detection Logic packages/clerk-js/src/utils/runtime.ts	Updated inCrossOriginIframe function to first validate iframe presence, then detect cross-origin ancestors by attempting to access window.top.location.href with try/catch error handling for SecurityError exceptions.

Sequence Diagram

sequenceDiagram
    participant Code as Runtime Code
    participant Util as inCrossOriginIframe()
    
    Util->>Util: Check inIframe()
    alt Not in iframe
        Util-->>Code: return false
    else In iframe
        Util->>Util: Attempt access to<br/>window.top.location.href
        alt Access succeeds<br/>(same-origin ancestor)
            Util-->>Code: return false
        else SecurityError thrown<br/>(cross-origin ancestor)
            Util-->>Code: return true
        end
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Focus area: Logic change in inCrossOriginIframe function—verify the try/catch handles SecurityError correctly and preserves backward compatibility for non-cross-origin scenarios
• Changeset entry: Confirm version bump and description alignment with the functional change

Poem

🐰 Through nested frames we gently hop,
Detecting origins, we'll never stop,
With try-catch grace and SecurityError's call,
Cross-origin boundaries we now enthrall! 🪟✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly describes the main change: updating the inCrossOriginIframe utility to handle nested cross-origin iframes, which matches the core functionality change in the changeset.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch kevin/handle-nested-iframes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[thiskevinwang]

!snapshot

[clerk-cookie]

Hey @thiskevinwang - the snapshot version command generated the following package versions:

Package	Version
@clerk/agent-toolkit	0.2.2-snapshot.v20251113160408
@clerk/astro	2.15.2-snapshot.v20251113160408
@clerk/backend	2.23.0-snapshot.v20251113160408
@clerk/chrome-extension	2.8.2-snapshot.v20251113160408
@clerk/clerk-js	5.108.1-snapshot.v20251113160408
@clerk/elements	0.23.83-snapshot.v20251113160408
@clerk/clerk-expo	2.19.2-snapshot.v20251113160408
@clerk/expo-passkeys	0.4.19-snapshot.v20251113160408
@clerk/express	1.7.50-snapshot.v20251113160408
@clerk/fastify	2.6.2-snapshot.v20251113160408
@clerk/localizations	3.28.1-snapshot.v20251113160408
@clerk/nextjs	6.35.2-snapshot.v20251113160408
@clerk/nuxt	1.12.2-snapshot.v20251113160408
@clerk/clerk-react	5.55.1-snapshot.v20251113160408
@clerk/react-router	2.2.2-snapshot.v20251113160408
@clerk/remix	4.13.17-snapshot.v20251113160408
@clerk/shared	3.35.0-snapshot.v20251113160408
@clerk/tanstack-react-start	0.27.2-snapshot.v20251113160408
@clerk/testing	1.13.16-snapshot.v20251113160408
@clerk/themes	2.4.37-snapshot.v20251113160408
@clerk/types	4.100.1-snapshot.v20251113160408
@clerk/vue	1.15.2-snapshot.v20251113160408

Tip: Use the snippet copy button below to quickly install the required packages.
@clerk/agent-toolkit

npm i @clerk/[email protected] --save-exact

@clerk/astro

npm i @clerk/[email protected] --save-exact

@clerk/backend

npm i @clerk/[email protected] --save-exact

@clerk/chrome-extension

npm i @clerk/[email protected] --save-exact

@clerk/clerk-js

npm i @clerk/[email protected] --save-exact

@clerk/elements

npm i @clerk/[email protected] --save-exact

@clerk/clerk-expo

npm i @clerk/[email protected] --save-exact

@clerk/expo-passkeys

npm i @clerk/[email protected] --save-exact

@clerk/express

npm i @clerk/[email protected] --save-exact

@clerk/fastify

npm i @clerk/[email protected] --save-exact

@clerk/localizations

npm i @clerk/[email protected] --save-exact

@clerk/nextjs

npm i @clerk/[email protected] --save-exact

@clerk/nuxt

npm i @clerk/[email protected] --save-exact

@clerk/clerk-react

npm i @clerk/[email protected] --save-exact

@clerk/react-router

npm i @clerk/[email protected] --save-exact

@clerk/remix

npm i @clerk/[email protected] --save-exact

@clerk/shared

npm i @clerk/[email protected] --save-exact

@clerk/tanstack-react-start

npm i @clerk/[email protected] --save-exact

@clerk/testing

npm i @clerk/[email protected] --save-exact

@clerk/themes

npm i @clerk/[email protected] --save-exact

@clerk/types

npm i @clerk/[email protected] --save-exact

@clerk/vue

npm i @clerk/[email protected] --save-exact

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.changeset/cute-apes-watch.md (1)

5-5: Fix hyphenation in compound adjective.

The phrase should use "cross-origin" (hyphenated) when modifying "iframes" as a compound adjective.

Apply this diff:

-fix(clerk-js): update inCrossOriginIframe to handle nested cross origin iframes
+fix(clerk-js): update inCrossOriginIframe to handle nested cross-origin iframes

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 42f0d95 and 2cb2be7.

📒 Files selected for processing (2)

• .changeset/cute-apes-watch.md (1 hunks)
• packages/clerk-js/src/utils/runtime.ts (1 hunks)

🧰 Additional context used

🪛 LanguageTool

.changeset/cute-apes-watch.md

[grammar] ~5-~5: Use a hyphen to join words.
Context: ...CrossOriginIframe to handle nested cross origin iframes

(QB_NEW_EN_HYPHEN)

🔇 Additional comments (1)

packages/clerk-js/src/utils/runtime.ts (1)

24-38: The web search returned general information about unit testing in TypeScript, but not specific to this codebase. Let me search for test files within the utils directory structure directly.

Perfect! The web search confirms that reading from window.top.location.href throws a SecurityError if the iframe is cross-origin, which validates the implementation approach in the code. Now let me check for test files specifically for the runtime utilities.

Based on the comprehensive verification I've conducted:

1. Implementation correctness verified: The web search confirms that attempting to read window.top.location.href throws a SecurityError in cross-origin iframe contexts, which is the exact mechanism this code relies upon.

2. Test coverage identified: The initial shell script showed that inCrossOriginIframe is already being tested, but only as a mocked dependency in cookie-handling tests (in clientUat.test.ts and session.test.ts), not as dedicated unit tests for the function itself.

3. No dedicated unit tests found: The shell output shows the function is imported and mocked but not tested directly for its internal logic.

The original review comment was asking for test verification but made specific requests. Since the implementation itself is correct and uses a well-established technique validated by browser security policies, I can now provide my final response.

Excellent implementation of nested cross-origin iframe detection!

The code correctly uses the SecurityError thrown when accessing window.top.location.href to detect cross-origin iframes at any nesting level. This approach is sound and aligns with browser same-origin policies.

The existing integration tests in packages/clerk-js/src/core/auth/cookies/__tests__/ already verify the function's behavior by mocking it with both true and false return values, validating that cookies are set correctly in both same-origin and cross-origin contexts.

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7212

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7212

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7212

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7212

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7212

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7212

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@7212

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@7212

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7212

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7212

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7212

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7212

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7212

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7212

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@7212

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7212

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@7212

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7212

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7212

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7212

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@7212

@clerk/types

npm i https://pkg.pr.new/@clerk/types@7212

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7212

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7212

commit: 36c9a25