When loading Matomo 3.5.0's piwik.js tracking client script into an HTML file that is loaded into an iframe on a different domain — Safari 11.1 (MacOS 10.13.4) throws the error below. See example CodePen link which loads the Matomo site into an iframe. This is a generalized use case for a widget app with Matomo tracking that would load onto a client domain.
[Error] Blocked a frame with origin "https://matomo.org" from accessing a frame with origin "https://s.codepen.io". Protocols, domains, and ports must match. Q (piwik.js:41:1708) addTracker (piwik.js:61:854) ac (piwik.js:23) c (piwik.js:70:685) aa (piwik.js:71:341) addTracker (piwik.js:72:245) (anonymous function) (piwik.js:293:273) Global Code (piwik.js:293:818)
The issue is thrown by
frameElement = windowAlias.frameElement; within /js/piwik.js#isInsideAnIframe.
From my cursory searching, the approaches within this function must have worked fine in the past. Recent Safari however (which has tightened security overall), doesn't seem to allow for try/catch silencing of the error.
Piwik continues to send tracking events after this error is thrown, but the
isInsideAnIframe method returns false which may be causing other issues in the tracking code related to the heartbeat.
Ideally, this error would also not be thrown on client websites that piwik/matomo tracker is iframed into.