Google has temporarily rolled back Chrome’s removal of browser alert windows and other prompts created via cross-originated iframes after a difficult deployment over the past two weeks that shattered web apps and alarmed developers.
An iframe, or Inline Frame, is a part of a web page embedded within another web page. When it includes resources from a different origin or domain, it is a cross-origin iframe.
As of March 2020, the team behind Chromium, Chrome’s open source engine, has planned to limit the capabilities of cross-origin iframes because they are a security concern. Specifically, they allow an embedded resource such as an ad to present a prompt as if it were the host domain.
âThe current user experience is confusing and has already led to parodies where sites claim the message is from Chrome or some other website,â a Google engineer explained in the company’s first post. Notice of Intent to Delete Last year.
“Removing support for the ability of cross-originated iframes to trigger UI will not only prevent this type of impersonation, but will also unlock new efforts to make the dialog box more recognizable in part of the website rather than the browser. “
In doing so, Google broke more than a few web applications. And finally, Google plans remove these prompt mechanisms altogether (same-origin contexts as well as cross-origin contexts), again to avoid potential abuse.
The depreciation of
window.confirm cross-origin iframes took effect with the release of Chrome 92.0.4515.107 on July 20. Since then, applications like the social development environment Codepen and Microsoft Azure Cosmos Database encountered issues as they present users with alerts, notifications, and confirmation windows via cross-origin iframes.
In the Chrome problem Where removal is tracked, the developers have stepped in to express their dismay at the way this change has been forced on the web community.
window.parent.postMessage workaround because pieces of our web application are now broken for our tens of thousands of users. “
âI am an engineer for a large ERP company and I am working on a product where hundreds of large customers (hundreds of thousands of users) are no longer able to use the product due to the removal of the original dialogs. cross ” wrote another developer.
âThese customers typically choose to host the product themselves, which means that the original registration would be up to each of them individually. This is not feasible for us or their IT departments. We’re not even able to make it work internally. We also receive reluctance asking them to remove the settings from the registry. “
My team is working around the clock and on weekends to try to rewrite our product around this change.
âMy team is working around the clock and on weekends trying to rewrite our product around this change and just needs more time. This type of change should have been documented and warned in advance in my opinion. “
The outcry proved to be talkative enough that Microsoft Edge last week canceled changes in its upstream Chromium code to restore dialogs in cross-origin iframes. Shortly after, a Google engineer said that Chrome had disabled its depreciation until August 15 to give developers more time to rewrite their applications.
Google even implemented a four-month opt-in “reverse origin test“which temporarily revives cross-origin prompts for Chrome users and gives developers who renovate large web applications more time to find replacements for exiled API methods.
âThis is the Chrome spike; what seems like a reasonably good idea that is hampered because it was thoughtlessly pushed back without making any serious effort to notify those involved or make sure nothing else gets broken. , or make sure it completely fixes the problem, “developer Daniel Shumway wrote in a publication at Hacker News.
“The product owners at Chrome are smart, but they’re sloppy and constantly breaking the web because they don’t seem to have enough sense of gravity or caution about what they’re doing.” Â®