Change designed to prevent spoofing led to broken websites and web apps
Google has decided to temporarily reverse the removal of browser alert windows and other prompts created by cross-origin iframes in Chrome after an update to its browser led to an uproar from developers and broken websites and web apps.
As reported by The Register, an iframe, which is short for Inline Frame, is a portion of a web page embedded in another web page. However, it is known as a cross-origin iframe when an iframe contains resources from a different origin or domain.
Since March of last year, the Chromium team has been planning to limit the capabilities of cross-origin iframes because they are a security liability. This is because they allow an embedded resource such as an ad to show a prompt in Chrome as if it came from the host domain.
In an Intent to Remove notice posted in a Google Group last year, a Google engineer explained how cross-origin iframes can lead to spoofs, saying:
“The current user experience is confusing, and has previously led to spoofs where sites pretend the message comes from Chrome or a different website. Removing support for cross origin iframes’ ability to trigger the UI will not only prevent this kind of spoofing, but will also unblock further efforts to make the dialog more recognizable as part of the website rather than the browser.”
A well-intentioned change
While Google’s decision to remove browser alert windows and prompts from Chrome was well-intentioned, its implementation has caused headaches for many developers.
With the release of Chrome 92.0.4515.107 earlier this month, Window Alert, Window Prompt and Window Confirm were deprecated from cross-origin iframes. This change has led to problems in several applications that use cross-origin iframes to show users alerts, notifications, and confirmation windows.
To provide developers with more time to rewrite their apps and sites, Chrome has now disabled its deprecation until August 15.