Google has made the decision to temporarily reverse the removal of browser alert windows and other prompts created by cross-origin iframes in Chrome after an update to its browser led to an uproar from developers as well as broken websites and web apps.
As reported by The Register, an iframe, which is short for Inline Frame, is a portion of a web page that is embedded in another web page. However, when an iframe contains resources form a different origin or domain, it is known as a cross-origin iframe.
The Chromium team has been planning since March of last year to limit the capabilities of cross-origin iframes due to the fact that they are a security liability. This is because they make it possible for an embedded resource such as an ad to show a prompt in Chrome as if came from the host domain.
In an Intent to Remove notice posted in a Google Group last year, a Google engineer explained how cross-origin iframes can lead to spoofs, saying:
“The current user experience is confusing, and has previously led to spoofs where sites pretend the message comes from Chrome or a different website. Removing support for cross origin iframes’ ability to trigger the UI will not only prevent this kind of spoofing, but will also unblock further efforts to make the dialog more recognizable as part of the website rather than the browser.”
A well-intentioned change
While Google’s decision to remove browser alert windows and prompts from Chrome was well-intentioned, its implementation has caused headaches for many developers.
With the release of Chrome 92.0.4515.107 earlier this month, window.alert, window.prompt and window.confirm were deprecated from cross-origin iframes. This change has led to problems in a number applications that use cross-origin iframes to show alerts, notifications and confirmation windows to their users.
To provide developers with more time to rewrite their apps and sites, Chrome has now disabled its deprecation until August 15.
Via The Register