PostHog / rrweb Sentry Errors
TLDR: PostHog's session recorder instruments our cross-origin Node-RED iframe, then crashes trying to clean it up. We've patched the one error we caused ourselves. The rest may be resolved by the fix — if not, they're in PostHog's CDN code and will be silenced in Sentry.
The Fix
Both immersive editor wrappers previously set iframe.src = 'about:blank' in beforeUnmount to prevent rrweb's SecurityError on cross-origin removeEventListener. This introduced a second error: the about:blank navigation caused rrweb to re-instrument the iframe while its iframeManager was already torn down.
Fix: remove the iframe from the DOM instead, so rrweb never sees the navigation.
this.$refs.iframe.parentNode?.removeChild(this.$refs.iframe)
Whether this fully resolves the SecurityError family depends on whether rrweb drops its internal window references when the iframe is removed from DOM — we'll know once this ships.
Errors
All errors share the same root: PostHog's rrweb session recorder instruments the page including any iframes it finds. When that iframe is cross-origin (our Node-RED editor), rrweb can't safely access its contentWindow — but it tries to anyway during session lifecycle events (idle timeout, session rotation, teardown). These events fire via setTimeout and can trigger long after the user has left the editor, which is why they're hard to reproduce and hard to prevent from our side.
The multiple rrweb versions (0.0.48, 0.0.51, 0.0.56) are because PostHog's CDN serves whatever is cached for a given user — we have no control over which version runs.
| Error |
rrweb |
Trigger |
Fixed? |
TypeError: Cannot read 'bufferBelongsToIframe' |
0.0.56 |
about:blank navigation re-instrumented iframe while iframeManager was torn down |
Yes |
TypeError in record.addCustomEvent → forEach |
0.0.51 |
PostHog session creation hits onRRwebEmit → addCustomEvent on stale rrweb state |
No — purely in PostHog CDN code |
SecurityError + TypeError in addCustomEvent → forEach |
0.0.51 |
Idle timeout fires session stop, onRRwebEmit hits same stale state; SecurityError from cross-origin window access in same path |
Partially — SecurityError may be resolved; addCustomEvent crash is not |
SecurityError in _teardown (idle timeout) |
0.0.48 |
_enforceIdleTimeout → stop → _teardown iterates rrweb's window list, hits cross-origin iframe window |
Maybe |
SecurityError in _teardown (session rotation) |
0.0.48 |
_updateWindowAndSessionIds → stop → _teardown, same window list iteration |
Maybe — resolves with the above or not at all |
If the Fix Doesn't Help
All remaining errors are inside PostHog's CDN-served rrweb bundles. If they persist after this fix, there's nothing further we can do from our code — we'll silence them in Sentry.
PostHog / rrweb Sentry Errors
The Fix
Both immersive editor wrappers previously set
iframe.src = 'about:blank'inbeforeUnmountto prevent rrweb's SecurityError on cross-originremoveEventListener. This introduced a second error: theabout:blanknavigation caused rrweb to re-instrument the iframe while itsiframeManagerwas already torn down.Fix: remove the iframe from the DOM instead, so rrweb never sees the navigation.
Whether this fully resolves the SecurityError family depends on whether rrweb drops its internal window references when the iframe is removed from DOM — we'll know once this ships.
Errors
All errors share the same root: PostHog's rrweb session recorder instruments the page including any iframes it finds. When that iframe is cross-origin (our Node-RED editor), rrweb can't safely access its
contentWindow— but it tries to anyway during session lifecycle events (idle timeout, session rotation, teardown). These events fire viasetTimeoutand can trigger long after the user has left the editor, which is why they're hard to reproduce and hard to prevent from our side.The multiple rrweb versions (
0.0.48,0.0.51,0.0.56) are because PostHog's CDN serves whatever is cached for a given user — we have no control over which version runs.TypeError: Cannot read 'bufferBelongsToIframe'0.0.56about:blanknavigation re-instrumented iframe whileiframeManagerwas torn downTypeErrorinrecord.addCustomEvent→forEach0.0.51onRRwebEmit→addCustomEventon stale rrweb stateSecurityError+TypeErrorinaddCustomEvent→forEach0.0.51onRRwebEmithits same stale state; SecurityError from cross-origin window access in same pathaddCustomEventcrash is notSecurityErrorin_teardown(idle timeout)0.0.48_enforceIdleTimeout→stop→_teardowniterates rrweb's window list, hits cross-origin iframe windowSecurityErrorin_teardown(session rotation)0.0.48_updateWindowAndSessionIds→stop→_teardown, same window list iterationIf the Fix Doesn't Help
All remaining errors are inside PostHog's CDN-served rrweb bundles. If they persist after this fix, there's nothing further we can do from our code — we'll silence them in Sentry.