Google has temporarily reversed the removal of Chrome browser alert windows and other messages created via iframes across origin after a rocky rollout in the last two weeks, breaking web applications and intimidating developers.
An iframe or Inline Frame is a part of a web page that is embedded in another web page. When it includes resources from another origin or another domain, it is a cross-origin iframe.
Since March 2020, the team behind Chromium, Chrome’s open source engine in Chrome, has planned to limit the possibility of iframes across origins because they are a security responsibility. In particular, they allow a built-in resource such as an ad to present a message as if it were the host domain.
“The current user experience is confusing and has previously led to forgeries where sites pretend the message is from Chrome or another site,” a Google engineer explained in the company’s first Intent to Remove message last year.
“Removing support for cross-origin iframes’ ability to trigger the user interface will not only prevent this type of spoofing, but will also remove the blocking of additional efforts to make the dialog more recognizable as part of the site instead of the browser.”
In doing so, Google has destroyed more than a few web apps. And finally, Google plans to remove these rapid mechanisms completely (from contexts of the same origin as well as cross-origins), again to prevent potential abuse.
The depreciation of
window.confirm from cross-origin iframes came into force with the release of Chrome 92.0.4515.107 on July 20th. Since then, applications such as social dev environment Codepen and Microsoft’s Azure Cosmos DB have encountered problems because they present users with alerts, notifications, and confirmation windows via cross-original iframes.
In the Chromium issue where removal is tracked, developers have chimed in to express their dismay at the way this change has been forced on the online community.
window.parent.postMessage solution because parts of our web app are now corrupted for our tens of thousands of users. “
“I am an engineer for a large ERP company and work on a product where hundreds of large customers (hundreds of thousands of users) are no longer able to use the product due to the removal of cross-dialogs,” wrote another developer.
“These customers usually choose to host the product themselves, which means that registering for the origin will fall on each of them. It is not possible for us or their IT departments. We can not even make it internally. We also get feedback on asking them to push out registry settings. “
My team works around the clock and on weekends to write about our product around this change
“My team works around the clock and on weekends to try to rewrite our product around this change and simply needs more time. In my opinion, this type of change should have been documented and warned about in advance.”
The call has proven volatile enough that last week Microsoft Edge reversed the changes to its upstream Chromium code to restore dialogs in cross-original iframes. Shortly afterwards, a Google engineer said Chrome had disabled depreciation until August 15 to give developers more time to rewrite their apps.
Google has even implemented a four-month “reverse origin test” opt-in that temporarily revives crossword puzzles for Chrome users and gives developers large-scale retrofitting more time to find replacements for the exiled API methods.
“This is top Chrome; what appears to be a reasonably good idea is hampered because it was thoughtlessly pushed out without making any serious effort to alert those affected or make sure nothing else breaks, or make sure it thoroughly solves the problem, “wrote developer Daniel Shumway in a post to Hacker News.
“Chrome product owners are smart, but they are careless and constantly break the web because they do not seem to have enough sense of gravity or caution about what they are doing.” ®