From b0a3c52df7fe75aaffad7d21105a772f5e69d551 Mon Sep 17 00:00:00 2001
From: Kevin Wang <kwangsan@gmail.com>
Date: Thu, 13 Nov 2025 10:47:07 -0500
Subject: [PATCH 1/2] fix(clerk-js): update `inCrossOriginIframe` to handle
 nested cross origin iframes

This handles the following dom structure
```
top (replit.com)
- iframe1 (foo.janeway.replit.dev/__iframe.html)
  - iframe2(foo.janeway.replit.dev; Clerk loaded here)
```
---
 packages/clerk-js/src/utils/runtime.ts | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/packages/clerk-js/src/utils/runtime.ts b/packages/clerk-js/src/utils/runtime.ts
index ae7c6778715..5f3dfc48343 100644
--- a/packages/clerk-js/src/utils/runtime.ts
+++ b/packages/clerk-js/src/utils/runtime.ts
@@ -21,7 +21,19 @@ export function inIframe() {
 }
 
 export function inCrossOriginIframe() {
-  // https://developer.mozilla.org/en-US/docs/Web/API/Window/frameElement
-  // frameElement: if the document into which it's embedded has a different origin, the value is null instead.
-  return inIframe() && !window.frameElement;
+  if (!inIframe()) {
+    return false;
+  }
+
+  try {
+    // Try to access top window's location to check if any ancestor is cross-origin
+    // This will throw a SecurityError if any iframe in the chain is cross-origin
+    // Handles nested iframes where immediate parent might be same-origin
+    // but a higher-level ancestor is cross-origin
+    void window.top?.location.href;
+    return false;
+  } catch {
+    // SecurityError thrown - we're in a cross-origin iframe (at any level)
+    return true;
+  }
 }

From 2cb2be78e26fc12aac2838db0f16a048b4f1f498 Mon Sep 17 00:00:00 2001
From: Kevin Wang <kwangsan@gmail.com>
Date: Thu, 13 Nov 2025 10:48:48 -0500
Subject: [PATCH 2/2] chore: changeset

---
 .changeset/cute-apes-watch.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/cute-apes-watch.md

diff --git a/.changeset/cute-apes-watch.md b/.changeset/cute-apes-watch.md
new file mode 100644
index 00000000000..741f9300df5
--- /dev/null
+++ b/.changeset/cute-apes-watch.md
@@ -0,0 +1,5 @@
+---
+'@clerk/clerk-js': patch
+---
+
+fix(clerk-js): update inCrossOriginIframe to handle nested cross origin iframes