Fix SecurityError when accessing localStorage in restricted browser environments

[Copilot]

Fix: Wrap localStorage access in try-catch blocks to prevent app crashes

Problem

The Snowplow JavaScript tracker was directly accessing window.localStorage without proper error handling, which throws a SecurityError in certain browser configurations:

• Mobile Safari 18.1.1 with certain privacy settings
• Firefox with dom.storage.enabled disabled
• Other browsers in private/incognito mode with strict settings

This caused the tracker to break the host application.

Solution

Wrapped both localStorage access points in local_storage_event_store.ts with try-catch blocks:

1. Line 24-26 - window.localStorage.getItem() - Now wrapped in try-catch, falls back to empty in-memory store on error and logs error to console
2. Line 42-43 - window.localStorage.setItem() - Now wrapped in try-catch, silently continues with in-memory storage on error and logs error to console

Behavior After Fix

• ✅ If localStorage is accessible: Works as before, persisting events to localStorage
• ✅ If localStorage throws SecurityError: Gracefully falls back to in-memory-only storage and logs the error
• ✅ Events are never lost - they're always stored in memory
• ✅ The app doesn't crash or break due to localStorage access issues
• ✅ Developers can see localStorage errors in the console for debugging

Testing

Added comprehensive test suite (test/tracker/local_storage_event_store.test.ts) that verifies:

• ✅ Normal operation with localStorage enabled/disabled
• ✅ Graceful handling when getItem() throws SecurityError
• ✅ Graceful handling when setItem() throws SecurityError
• ✅ Graceful handling when both operations throw errors
• ✅ Events persist to localStorage when accessible
• ✅ Events load from localStorage on initialization

Changes Made:

• Wrap window.localStorage.getItem() call in try-catch (line 24)
• Wrap window.localStorage.setItem() call in try-catch (line 42)
• Add console.error logging for localStorage failures
• Add comprehensive test suite with proper EventStorePayload format
• Verify changes follow existing codebase patterns

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Direct access to localStorage in @snowplow/browser-tracker-core might break an app</issue_title>
<issue_description>Describe the bug
Browser Tracker Core tries to access the window.localStorage directly (example 1, example 2). Although this behavior can be deactivated using the useLocalStorage property; it's not straightforward that a developer might do it, for example, using the detector localStorageAccessible. This means that a bug can sneak into production builds.

To Reproduce
We can use Firefox to reproduce it manually by opening the about:config tab and deactivating the dom.storage.enabled option.

Expected behavior
Snowplow Browser Tracker should not break the app.
</issue_description>

<agent_instructions>A bit more context from another user:

The customer reached out as they think they've hit a kind of obscure bug on Mobile Safari 18.1.1. This line right here: https://github.com/snowplow/snowplow-javascript-tracker/blob/master/libraries/browser-tracker-core/src/tracker/local%5Fstorage%5Fevent%5Fstore.ts#L24 is causing the following error:

SecurityError
The operation is insecure.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

Fixes #1419

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[snowplowcla]

Thanks for your pull request. Is this your first contribution to a Snowplow open source project? Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://docs.snowplowanalytics.com/docs/contributing/contributor-license-agreement/ to learn more and sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.

[matus-tomlein]

@copilot Rather than failing silently, can we here and above in the other catch block call console.error to log the failure?

[Copilot]

Added console.error logging in both catch blocks to help with debugging localStorage access issues. The error messages now indicate:

• "Failed to access localStorage when initializing event store" (line 29)
• "Failed to persist events to localStorage" (line 45)

[matus-tomlein]

@copilot running the tests results in an error:

  ● Test suite failed to run

    test/tracker/local_storage_event_store.test.ts:65:26 - error TS2345: Argument of type '{ e: string; eid: string; }' is not assignable to parameter of type 'EventStorePayload'.
      Property 'payload' is missing in type '{ e: string; eid: string; }' but required in type 'EventStorePayload'.

    65     await eventStore.add(event);
                                ~~~~~

      ../tracker-core/dist/index.module.d.ts:1128:5
        1128     payload: Payload;
  ...24 lines omitted...

    147     await eventStore.add(event);
                                 ~~~~~

      ../tracker-core/dist/index.module.d.ts:1128:5
        1128     payload: Payload;
                 ~~~~~~~
        'payload' is declared here.

Returned error code: 1

[Copilot]

@copilot running the tests results in an error:

...

Fixed the test to use the proper EventStorePayload format. Events now have a payload property wrapping the actual event data: { payload: { e: 'pv', eid: 'test-event-id' } } (commit d56a88b)