Google reverses embarrassing website-breaking Chrome update

Man annoyed at laptop
(Image credit: Marjan Apostolovic / Shutterstock)

Google has made the decision to temporarily reverse the removal of browser alert windows and other prompts created by cross-origin iframes in Chrome after an update to its browser led to an uproar from developers as well as broken websites and web apps.

As reported by The Register, an iframe, which is short for Inline Frame, is a portion of a web page that is embedded in another web page. However, when an iframe contains resources form a different origin or domain, it is known as a cross-origin iframe.

The Chromium team has been planning since March of last year to limit the capabilities of cross-origin iframes due to the fact that they are a security liability. This is because they make it possible for an embedded resource such as an ad to show a prompt in Chrome as if came from the host domain.

In an Intent to Remove notice posted in a Google Group last year, a Google engineer explained how cross-origin iframes can lead to spoofs, saying:

“The current user experience is confusing, and has previously led to spoofs where sites pretend the message comes from Chrome or a different website. Removing support for cross origin iframes’ ability to trigger the UI will not only prevent this kind of spoofing, but will also unblock further efforts to make the dialog more recognizable as part of the website rather than the browser.”

A well-intentioned change

While Google's decision to remove browser alert windows and prompts from Chrome was well-intentioned, its implementation has caused headaches for many developers.

To prevent spoofing, the search giant has disabled JavaScript code in cross-origin iframes from calling the alert, prompt and confirm methods on the browser's window object that web developers frequently use to show dialog boxes. However, this change has broken many web apps and has left developers frustrated which is why Google decided to temporarily reverse it. Still though, the company plans to completely remove these prompt mechanisms from both same-origin contexts  and cross-origin ones in the future in an effort to prevent them from being abused.

With the release of Chrome 92.0.4515.107 earlier this month, window.alert, window.prompt and window.confirm were deprecated from cross-origin iframes. This change has led to problems in a number applications that use cross-origin iframes to show alerts, notifications and confirmation windows to their users.

To provide developers with more time to rewrite their apps and sites, Chrome has now disabled its deprecation until August 15.

Via The Register

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.