Chrome modifications and iframe embedding

  • Profile Image
    macaulayscott
    Asked on November 23, 2017 at 05:07 AM

    I have just heard that future versions of Chrome will block scripts running in iframes to stop malicious ads. Will this also affect jotform functionality?

  • Profile Image
    Nik_C
    Answered on November 23, 2017 at 06:23 AM

    I'm not aware of such news, would you mind sharing the source of such info?

    Thank you!

  • Profile Image
    macaulayscott
    Answered on November 23, 2017 at 06:34 AM

    Heard it on Security Now podcast with Steve Gibson on Twit TV network. Link to show notes - https://www.grc.com/sn/sn-637.htm

    Pertinant info: Steve: And these are good. In the first case I'm glad that Google is willing to do this because it's deliberately breaking some proper behavior, but necessarily. So, okay. So with release 64 of Chrome, which is slated for January of next year, January 2018, Chrome will be blocking script-driven iframe redirects. This is a consequence of the history of abuse by embedded malvertising. Chrome will no longer accept URL redirections triggered by JavaScript code residing within iframes.

    So, I mean, iframes have been sort of a controversial problem on the web for a long time. They are a means for one web page to embed another web page within itself, literally on the real estate of the hosting web page. In the HTML you declare a frame, a horizontal by vertical frame of a certain size or percentage of the page. And in this declaration you give it the URL of the web page to fill the frame with. And it doesn't have to be the same domain.

    So this is inherently a cross-domain thing. This is a means of embedding any other web page. And in fact it's been used controversially by some less reputable sites to essentially embed good sites, like steal site content from some other web server. It's like, oh, look at our stuff, when in fact all they have is an iframe pointing somewhere else, but people get to that somewhere else by going to the primary site. So it's a convenience. It was the sort of thing that someone said, "Hey, wouldn't this be cool," back in the beginning, the dawn of the web. And everyone said, "Yeah, okay, fine, we'll put that in."

    So the point is that this day and age it's typically the mechanism used for advertising. So you have a web page, and you want to host third-party ads on your page. So you give them an agreed-upon rectangular area on your page, and you point that to the web server's URL. The web server, when queried, they're going to see from the referrer header where the query is coming from. Oh, it's from these guys who are hosting our ad. And of course they also get cookies that belong to their domain, so they know who you are, looking at the site that is hosting the third-party service. So they get all this information; and they return, hopefully, an ad which you care about and which the site receives some remuneration for.

    The problem is this very powerful facility can also run, I mean, it's a full web page, which means it can run JavaScript. It can run code. And this has been used by malware that is injected into legitimate advertising services in order to get users to click on something, and they click on something, and that installs something into their computer that they don't want, and it's all bad. So the point is this is all standards-based. And so I take my hat off to Chrome for deciding we're going to break something which is being abused because, even though it's legitimate, that is, it's not something that needs to be fixed, it's always been possible. They're going to say, eh, we're going to stop making that possible. We're willing to take the hit for script running in an iframe that attempts to redirect to somewhere else. We're going to have Chrome look at that behavior and not abide it, not follow that redirect.

    So I'm glad that Google is willing to do this. They sort of have to be the first people to be the icebreakers, after which other browsers could follow, presuming that this doesn't cause too big a problem. And they must have analyzed this in order to decide that, yup, the benefit for the user outweighs the tiny loss of functionality that this could incur. I mean, and especially since Google is largely advertising supported, and this is something that maybe a legitimate advertiser could use. They're just going to have to stop doing that because, after January and release 64, Chrome won't follow script-driven redirections from an iframe.

  • Profile Image
    Chriistian
    Answered on November 23, 2017 at 08:57 AM

    I found some articles regarding this (i.e. https://www.wired.com/story/chrome-stop-sketchy-sites-from-redirects/) and based on the article "Beginning in Chrome 64, which is currently in developer preview, the browser will block third-party media components (HTML modules known as "iframes" that are often used to display things like ads) from triggering redirects unless you directly click on them."

    As I understand this, it seems this will only block iFrames that redirects you to another page or opens another page/tab when the iFrame embedded code is loaded. This changes on chrome will not affect the functionality of JotForm.



  • Profile Image
    macaulayscott
    Answered on November 28, 2017 at 06:29 AM

    Good to know. Thanks.