Google reverses embarrassing website-breaking Chrome update
Change designed to prevent spoofing led to broken websites and web apps
Google has made the decision to temporarily reverse the removal of browser alert windows and other prompts created by cross-origin iframes in Chrome after an update to its browser led to an uproar from developers as well as broken websites and web apps.
As reported by The Register, an iframe, which is short for Inline Frame, is a portion of a web page that is embedded in another web page. However, when an iframe contains resources form a different origin or domain, it is known as a cross-origin iframe.
The Chromium team has been planning since March of last year to limit the capabilities of cross-origin iframes due to the fact that they are a security liability. This is because they make it possible for an embedded resource such as an ad to show a prompt in Chrome as if came from the host domain.
- We've put together a list of the best browsers available
- These are the best VPN services on the market
- Also check out our roundup of the best Windows 10 VPN
In an Intent to Remove notice posted in a Google Group last year, a Google engineer explained how cross-origin iframes can lead to spoofs, saying:
“The current user experience is confusing, and has previously led to spoofs where sites pretend the message comes from Chrome or a different website. Removing support for cross origin iframes’ ability to trigger the UI will not only prevent this kind of spoofing, but will also unblock further efforts to make the dialog more recognizable as part of the website rather than the browser.”
A well-intentioned change
While Google's decision to remove browser alert windows and prompts from Chrome was well-intentioned, its implementation has caused headaches for many developers.
To prevent spoofing, the search giant has disabled JavaScript code in cross-origin iframes from calling the alert, prompt and confirm methods on the browser's window object that web developers frequently use to show dialog boxes. However, this change has broken many web apps and has left developers frustrated which is why Google decided to temporarily reverse it. Still though, the company plans to completely remove these prompt mechanisms from both same-origin contexts and cross-origin ones in the future in an effort to prevent them from being abused.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
With the release of Chrome 92.0.4515.107 earlier this month, window.alert, window.prompt and window.confirm were deprecated from cross-origin iframes. This change has led to problems in a number applications that use cross-origin iframes to show alerts, notifications and confirmation windows to their users.
To provide developers with more time to rewrite their apps and sites, Chrome has now disabled its deprecation until August 15.
- We've also highlighted the best proxy
Via The Register
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.