Skip to content

inAppWallet: Export Private Key iframe fails on mobile browsers (EIP7702 mode) #8716

New issue
New issue
Open
Open
inAppWallet: Export Private Key iframe fails on mobile browsers (EIP7702 mode)#8716
@yoanndefay

Description

@yoanndefay
yoanndefay
opened on Mar 23, 2026

Description

The "Export Private Key" feature in the ConnectButton wallet details modal fails on mobile browsers (tested on Chrome for Android and Safari iOS). The embedded wallet iframe at embedded-wallet.thirdweb.com fails to load, resulting in the error:

Unsafe attempt to load URL https://embedded-wallet.thirdweb.com/sdk/2022-08-12/embedded-wallet?clientId=... 
from frame with URL chrome-error://chromewebdata/. Domains, protocols and ports must match.

The iframe navigates to chrome-error://chromewebdata/ instead of loading the export UI, and subsequent postMessage calls fail due to origin mismatch.

Steps to Reproduce

  1. Create an inAppWallet with executionMode: { mode: "EIP7702", sponsorGas: true }
  2. Log in via Google/email on a mobile browser
  3. Open the ConnectButton details modal
  4. Tap "Export Private Key"
  5. Iframe fails to load — screen stays blank or shows loading indefinitely

Expected Behavior

The private key export iframe should load and display the private key export UI on mobile, same as on desktop.

Environment

  • SDK version: thirdweb@5.119.1
  • Wallet config: inAppWallet({ auth: { options: ["google", "email", "passkey"] }, executionMode: { mode: "EIP7702", sponsorGas: true } })
  • Browsers affected: Chrome mobile (Android), Safari (iOS)
  • Desktop: Works fine on Chrome/Firefox/Safari

Analysis

The iframe URL (https://embedded-wallet.thirdweb.com/sdk/2022-08-12/embedded-wallet/export-private-key) returns HTTP 200 with no X-Frame-Options restriction when tested server-side. The issue appears to be mobile browser storage partitioning / third-party iframe restrictions preventing the iframe from initializing its session context.

The PrivateKey component in react/web/ui/ConnectWallet/screens/PrivateKey.js relies on postMessage communication with the iframe, but when the iframe fails to load, the exportPrivateKeyIframeLoaded event never fires, leaving the UI stuck in a loading state with no error feedback to the user.

Suggestions

  • Add error handling / timeout for the iframe load in PrivateKey.js so users see a clear error message
  • Consider using Storage Access API for mobile browser compatibility
  • Possibly offer a non-iframe fallback for mobile (e.g. redirect-based flow)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions