← Back to release summary
Block external protocol in sandboxed iframe
- Category
- Security
- Type
- No developer-visible change
- Status
- Enabled by default (Chrome 103)
- Intent stage
- Shipped
Summary
Block sandboxed iframe from opening external application.
To enable it again, apply at least one of following values to the <iframe> element's sandbox property:
- allow-popups
- allow-top-navigation
- allow-top-navigation-with-user-activation
Or use the new dedicated one:
- allow-top-navigation-to-custom-protocols
Motivation
If --as a site author-- developers sandbox untrusted content and don't give it the permission to navigate users away via normal navigations, they also don't want it to navigate away toward external app or the play store on top of their web page.
This problem was reported multiple time, by security researcher and companies wanting to get rid of malvertisers (malicious ads)
- https://github.com/whatwg/html/issues/2191
- https://crbug.com/1148777
Standards & signals
- Specification: https://github.com/whatwg/html/pull/7654
- Firefox: Positive — https://github.com/whatwg/html/pull/7654#:~:text=overall%20this%20seems%20good%20though%20and%20we%20might%20pick%20this%20up%20soonish%20in%20firefox
Update: They now have implemented it.
- Safari: Shipped/Shipping — Safari already shipped it the initial version with the new "allow-top-navigation-to-custom-protocols" opt-out flag. WebKit had to introduce a quirk to keep Microsoft Teams working.
Update: They now have implemented it.
Safari is also positive replacing the quirk by the standardized flag.
https://github.com/whatwg/html/pull/7654#issuecomment-1048951254
- Web developers: Strongly positive — Amazon & multiple independent security researcher have filled feature request:
- https://crbug.com/1148777
- https://crbug.com/1250415
- https://github.com/whatwg/html/issues/2191
- Tracking bug: https://crbug.com/1253379
Docs: https://docs.google.com/document/d/1hHjxQk1yLoC0ioBBYpIq4JJYAwj9sJfR5b62QcLt1eM/edit https://github.com/whatwg/html/pull/7124 https://github.com/whatwg/html/pull/7654
Explainers: https://github.com/whatwg/html/issues/2191
View on chromestatus.com