Bar: forwards bar from hidden iframe to parent window via postMessage [Closes #427]

When a form posts into a hidden iframe, Tracy used to render its bar inside
the invisible iframe and the request was effectively lost. Tracy now detects
iframe context (Sec-Fetch-Dest header), stores the bar as an ajax-style
partial in session and emits a tiny postMessage to the parent. The parent's
bar listens for these messages and loads the content like any AJAX request.

Author: dg

examples/iframe-form.php

@@ -0,0 +1,47 @@
+<?php declare(strict_types=1);
+
+require __DIR__ . '/../src/tracy.php';
+
+use Tracy\Debugger;
+
+// For security reasons, Tracy is visible only on localhost.
+// You may force Tracy to run in development mode by passing the Debugger::Development instead of Debugger::Detect.
+Debugger::enable(Debugger::Detect, __DIR__ . '/log');
+
+
+// Form posted into a hidden iframe – Tracy starts a new bar instance inside
+// the iframe, so the request is effectively invisible (issue nette/tracy#427).
+if (!empty($_POST['data'])) {
+	bdump($_POST['data'], 'received in hidden iframe');
+	echo '<script>parent.setStatus(' . json_encode($_POST['data']) . ' + " received!")</script>';
+	exit;
+}
+
+?>
+<!DOCTYPE html><html class=arrow><link rel="stylesheet" href="assets/style.css">
+
+<h1>Tracy: hidden iframe form demo (issue #427)</h1>
+
+<p>Submitting the form posts into a hidden iframe. The request <em>is</em> handled
+	by Tracy, but the bar is rendered inside the invisible iframe, so it is not
+	shown in the parent page.</p>
+
+<iframe name="hiddenIframe"></iframe>
+
+<form target="hiddenIframe" action="iframe-form.php" method="post">
+	<input type="text" name="data" value="hello">
+	<input type="submit">
+</form>
+
+<h2 id="status">Waiting for submit...</h2>
+
+<script>
+	function setStatus(text) {
+		document.getElementById('status').innerText = text;
+	}
+</script>
+
+<?php
+if (Debugger::$productionMode) {
+	echo '<p><b>For security reasons, Tracy is visible only on localhost. Look into the source code to see how to enable Tracy.</b></p>';
+}

src/Tracy/Bar/Bar.php

@@ -57,6 +57,10 @@ public function renderLoader(DeferredContent $defer): void
 		}
 
 		$this->loaderRendered = true;
+		if (Helpers::isIframe()) {
+			return;
+		}
+
 		$requestId = $defer->getRequestId();
 		$async = true;
 		require __DIR__ . '/dist/loader.phtml';
@@ -87,6 +91,13 @@ public function render(DeferredContent $defer): void
 					'time' => time(),
 				];
 			}
+		} elseif (Helpers::isHtmlMode() && Helpers::isIframe()) {
+			if ($defer->isAvailable()) {
+				$defer->addSetup('Tracy.Debug.loadAjax', $this->renderPartial('iframe', '-iframe:' . $requestId));
+				echo '<script' . Helpers::getNonce(attr: true) . '>'
+					. '(window.parent !== window) && parent.postMessage({tracyIframeBar:' . Helpers::jsonEncode($requestId) . '}, "*")'
+					. '</script>';
+			}
 		} elseif (Helpers::isHtmlMode()) {
 			if (preg_match('#^Content-Length:#im', implode("\n", headers_list()))) {
 				Debugger::log(new \LogicException('Tracy cannot display the Bar because the Content-Length header is being sent'), Debugger::EXCEPTION);

src/Tracy/Bar/assets/bar.js

@@ -411,6 +411,7 @@ class Debug {
 
 		Debug.captureWindow();
 		Debug.captureAjax();
+		Debug.captureIframe();
 
 		Tracy.TableSort.init();
 		Tracy.Tabs.init();
@@ -523,6 +524,16 @@ class Debug {
 	}
 
 
+	static captureIframe() {
+		window.addEventListener('message', (e) => {
+			let id = e.data && e.data.tracyIframeBar;
+			if (typeof id === 'string' && /^\w{10,15}$/.test(id)) {
+				Debug.loadScript(baseUrl + '_tracy_bar=content-ajax.' + id + '&XDEBUG_SESSION_STOP=1&v=' + Math.random());
+			}
+		});
+	}
+
+
 	static loadScript(url) {
 		if (Debug.scriptElem) {
 			Debug.scriptElem.remove();

src/Tracy/Bar/assets/bar.latte

@@ -11,6 +11,8 @@
 			<li><span title="Previous request before redirect">redirect</span></li>
 		{case ajax}
 			<li>AJAX</li>
+		{case iframe}
+			<li>iframe</li>
 	{/switch}
 
 	{foreach $panels as $panel}

src/Tracy/Bar/dist/bar.phtml

@@ -22,21 +22,24 @@ if ($ʟ_switch === ('main')) /* pos 6:3 */ {
 } elseif ($ʟ_switch === ('ajax')) /* pos 12:3 */ {
 	echo '	<li>AJAX</li>
 ';
+} elseif ($ʟ_switch === ('iframe')) /* pos 14:3 */ {
+	echo '	<li>iframe</li>
+';
 }
 echo "\n";
-foreach ($panels as $panel) /* pos 16:2 */ {
-	if ($panel->tab) /* pos 17:7 */ {
+foreach ($panels as $panel) /* pos 18:2 */ {
+	if ($panel->tab) /* pos 19:7 */ {
 		echo '	<li>';
-		if ($panel->panel) /* pos 17:26 */ {
+		if ($panel->panel) /* pos 19:26 */ {
 			echo '<a href="#" rel="tracy-debug-panel-';
-			echo Tracy\Helpers::escapeHtml($panel->id) /* pos 17:79 */;
+			echo Tracy\Helpers::escapeHtml($panel->id) /* pos 19:79 */;
 			echo '">';
-			echo trim($panel->tab) /* pos 17:93 */;
+			echo trim($panel->tab) /* pos 19:93 */;
 			echo '</a>
 ';
-		} else /* pos 18:3 */ {
+		} else /* pos 20:3 */ {
 			echo '	<span>';
-			echo trim($panel->tab) /* pos 18:15 */;
+			echo trim($panel->tab) /* pos 20:15 */;
 			echo '</span>
 ';
 		}
@@ -47,7 +50,7 @@ foreach ($panels as $panel) /* pos 16:2 */ {
 }
 
 echo "\n";
-if ($type === 'main') /* pos 22:6 */ {
+if ($type === 'main') /* pos 24:6 */ {
 	echo '	<li><a href="#" data-tracy-action="close" title="close debug bar">&times;</a></li>
 ';
 }

src/Tracy/Helpers.php

@@ -396,6 +396,14 @@ public static function isRedirect(): bool
 	}
 
 
+	/** @internal */
+	public static function isIframe(): bool
+	{
+		$dest = $_SERVER['HTTP_SEC_FETCH_DEST'] ?? '';
+		return $dest === 'iframe' || $dest === 'frame';
+	}
+
+
 	/** @internal */
 	public static function createId(): string
 	{