- macaulayscottAsked on November 23, 2017 at 05:07 AM
I have just heard that future versions of Chrome will block scripts running in iframes to stop malicious ads. Will this also affect jotform functionality?
- JotForm SupportNik_CAnswered on November 23, 2017 at 06:23 AM
I'm not aware of such news, would you mind sharing the source of such info?
- macaulayscottAnswered on November 23, 2017 at 06:34 AM
Heard it on Security Now podcast with Steve Gibson on Twit TV network. Link to show notes - https://www.grc.com/sn/sn-637.htm
So, I mean, iframes have been sort of a controversial problem on the web for a long time. They are a means for one web page to embed another web page within itself, literally on the real estate of the hosting web page. In the HTML you declare a frame, a horizontal by vertical frame of a certain size or percentage of the page. And in this declaration you give it the URL of the web page to fill the frame with. And it doesn't have to be the same domain.
So this is inherently a cross-domain thing. This is a means of embedding any other web page. And in fact it's been used controversially by some less reputable sites to essentially embed good sites, like steal site content from some other web server. It's like, oh, look at our stuff, when in fact all they have is an iframe pointing somewhere else, but people get to that somewhere else by going to the primary site. So it's a convenience. It was the sort of thing that someone said, "Hey, wouldn't this be cool," back in the beginning, the dawn of the web. And everyone said, "Yeah, okay, fine, we'll put that in."
So the point is that this day and age it's typically the mechanism used for advertising. So you have a web page, and you want to host third-party ads on your page. So you give them an agreed-upon rectangular area on your page, and you point that to the web server's URL. The web server, when queried, they're going to see from the referrer header where the query is coming from. Oh, it's from these guys who are hosting our ad. And of course they also get cookies that belong to their domain, so they know who you are, looking at the site that is hosting the third-party service. So they get all this information; and they return, hopefully, an ad which you care about and which the site receives some remuneration for.
So I'm glad that Google is willing to do this. They sort of have to be the first people to be the icebreakers, after which other browsers could follow, presuming that this doesn't cause too big a problem. And they must have analyzed this in order to decide that, yup, the benefit for the user outweighs the tiny loss of functionality that this could incur. I mean, and especially since Google is largely advertising supported, and this is something that maybe a legitimate advertiser could use. They're just going to have to stop doing that because, after January and release 64, Chrome won't follow script-driven redirections from an iframe.
- JotForm SupportChriistianAnswered on November 23, 2017 at 08:57 AM
I found some articles regarding this (i.e. https://www.wired.com/story/chrome-stop-sketchy-sites-from-redirects/) and based on the article "Beginning in Chrome 64, which is currently in developer preview, the browser will block third-party media components (HTML modules known as "iframes" that are often used to display things like ads) from triggering redirects unless you directly click on them."
As I understand this, it seems this will only block iFrames that redirects you to another page or opens another page/tab when the iFrame embedded code is loaded. This changes on chrome will not affect the functionality of JotForm.
- macaulayscottAnswered on November 28, 2017 at 06:29 AM
Good to know. Thanks.