fix: prevent iframe leak in untainted prototype and avoid unnecessary iframe creation#159
Merged
pauldambra merged 1 commit intomainfrom Apr 2, 2026
Conversation
pauldambra
approved these changes
Apr 2, 2026
| return candidate.prototype as BasePrototypeCache[T]; | ||
| } | ||
|
|
||
| const iframeEl = document.createElement('iframe'); |
Member
There was a problem hiding this comment.
could document.createElement fail?
in which case we'd be better with
let iframeEl: blah or blah = null
try {
iframeEl = document.createElement('iframe');
very not sure if it's even possible for that to throw though!
pauldambra
deleted the
fix/untainted-prototype-iframe-leak-and-queryselector
branch
This was referenced Apr 2, 2026
pauldambra
added a commit
to PostHog/posthog-js
that referenced
this pull request
Apr 8, 2026
## Summary - Bumps `@posthog/rrweb-plugin-console-record`, `@posthog/rrweb-record`, and `@posthog/rrweb-types` from `0.0.53` → `0.0.56` - Includes fixes from posthog-rrweb#157–159, #163, and #166 THIS SHOULD SHOW A BUNDLE SIZE REDUCTION BEFORE MERGING ### Changes included (0.0.54–0.0.56) - PostHog/posthog-rrweb#157: fix: clear mutation buffer on iframe pagehide to prevent recording corruption - PostHog/posthog-rrweb#158: fix: skip unchanged setAttribute calls to prevent replay flicker - PostHog/posthog-rrweb#159: fix: prevent iframe leak in untainted prototype and avoid unnecessary iframe creation - PostHog/posthog-rrweb#163: fix: handle SecurityError in IframeManager destroy and removeIframeById - PostHog/posthog-rrweb#166: fix: remove postcss from @posthog/rrweb-record bundle (420KB → 170KB) --- *Created with [PostHog Code](https://posthog.com/code?ref=pr)*
mergify bot
pushed a commit
to doxynix/doxynix
that referenced
this pull request
Apr 11, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [fast-xml-parser](https://redirect.github.com/NaturalIntelligence/fast-xml-parser) | [`5.5.10` → `5.5.11`](https://renovatebot.com/diffs/npm/fast-xml-parser/5.5.10/5.5.11) |  |  | | [posthog-js](https://posthog.com/docs/libraries/js) ([source](https://redirect.github.com/PostHog/posthog-js)) | [`1.365.1` → `1.365.3`](https://renovatebot.com/diffs/npm/posthog-js/1.365.1/1.365.3) |  |  | --- ### Release Notes <details> <summary>NaturalIntelligence/fast-xml-parser (fast-xml-parser)</summary> ### [`v5.5.11`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.10...12b041ddeffa8b37ea44d572284c00a89148f2d3) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.10...12b041ddeffa8b37ea44d572284c00a89148f2d3) </details> <details> <summary>PostHog/posthog-js (posthog-js)</summary> ### [`v1.365.3`](https://redirect.github.com/PostHog/posthog-js/releases/tag/posthog-js%401.365.3) [Compare Source](https://redirect.github.com/PostHog/posthog-js/compare/posthog-js@1.365.2...posthog-js@1.365.3) #### 1.365.3 ##### Patch Changes - [#​3357](https://redirect.github.com/PostHog/posthog-js/pull/3357) [`dbdddca`](https://redirect.github.com/PostHog/posthog-js/commit/dbdddcad578adf282f620d2afcd5808600a9c287) Thanks [@​pauldambra](https://redirect.github.com/pauldambra)! - Bump [@​posthog/rrweb](https://redirect.github.com/posthog/rrweb) packages to 0.0.56, which includes: - [PostHog/posthog-rrweb#157](https://redirect.github.com/PostHog/posthog-rrweb/issues/157): fix: clear mutation buffer on iframe pagehide to prevent recording corruption - [PostHog/posthog-rrweb#158](https://redirect.github.com/PostHog/posthog-rrweb/issues/158): fix: skip unchanged setAttribute calls to prevent replay flicker - [PostHog/posthog-rrweb#159](https://redirect.github.com/PostHog/posthog-rrweb/issues/159): fix: prevent iframe leak in untainted prototype and avoid unnecessary iframe creation - [PostHog/posthog-rrweb#163](https://redirect.github.com/PostHog/posthog-rrweb/issues/163): fix: handle SecurityError in IframeManager destroy and removeIframeById - [PostHog/posthog-rrweb#166](https://redirect.github.com/PostHog/posthog-rrweb/issues/166): fix: remove postcss from [@​posthog/rrweb-record](https://redirect.github.com/posthog/rrweb-record) bundle (420KB → 170KB) (2026-04-08) - Updated dependencies \[]: - [@​posthog/types](https://redirect.github.com/posthog/types)@​1.365.3 ### [`v1.365.2`](https://redirect.github.com/PostHog/posthog-js/releases/tag/posthog-js%401.365.2) [Compare Source](https://redirect.github.com/PostHog/posthog-js/compare/posthog-js@1.365.1...posthog-js@1.365.2) #### 1.365.2 ##### Patch Changes - [#​3323](https://redirect.github.com/PostHog/posthog-js/pull/3323) [`c387f6d`](https://redirect.github.com/PostHog/posthog-js/commit/c387f6dc146c9c09640e471e66043ad832b0476e) Thanks [@​pauldambra](https://redirect.github.com/pauldambra)! - perf(replay): reduce memory and CPU cost of event compression by caching gzipped empty arrays and eliminating redundant JSON.stringify for size estimation (2026-04-08) - Updated dependencies \[[`c387f6d`](https://redirect.github.com/PostHog/posthog-js/commit/c387f6dc146c9c09640e471e66043ad832b0476e)]: - [@​posthog/types](https://redirect.github.com/posthog/types)@​1.365.2 </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Moscow) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
try/finallyso the iframe is always removed, even on early return (whencontentWindowis null) or exception. Previously these iframes would leak into the DOM.querySelector/querySelectorAllfromtestableAccessorstotestableMethodsand switches helpers fromgetUntaintedAccessortogetUntaintedMethod. These are methods, not property accessors, so the accessor check (getOwnPropertyDescriptor(...).get) always failed, causing a throwaway iframe to be created every time just to get the untainted prototype.Why
Both fixes are in
packages/utils/src/index.tsand affect the samegetUntaintedPrototypecode path. #1770 prevents DOM pollution from leaked iframes. #1802 avoids unnecessary iframe creation on every querySelector/querySelectorAll call, which is a hot path during recording.Test plan