To give you the best possible experience, this site uses cookies. Review our Privacy Policy and Terms of Service to learn more. Verstanden!
Artwork

Tech Startups Business Entrepreneur CodePen Blog Tech I Got
Inhalt bereitgestellt von CodePen Blog. Alle Podcast-Inhalte, einschließlich Episoden, Grafiken und Podcast-Beschreibungen, werden direkt von CodePen Blog oder seinem Podcast-Plattformpartner hochgeladen und bereitgestellt. Wenn Sie glauben, dass jemand Ihr urheberrechtlich geschütztes Werk ohne Ihre Erlaubnis nutzt, können Sie dem hier beschriebenen Verfahren folgen https://de.player.fm/legal.

Ähnelt CodePen Radio

Player FM - Podcast-App
Gehen Sie mit der App Player FM offline!
Get it on App Store Get it on Google Play

CodePen Radio »
417: Iframe Allow Attribute Saga

 
Abspielen
Abspielen
Teilen
 

MP3Episode-Home
Manage episode 520143023 series 181913
Inhalt bereitgestellt von CodePen Blog. Alle Podcast-Inhalte, einschließlich Episoden, Grafiken und Podcast-Beschreibungen, werden direkt von CodePen Blog oder seinem Podcast-Plattformpartner hochgeladen und bereitgestellt. Wenn Sie glauben, dass jemand Ihr urheberrechtlich geschütztes Werk ohne Ihre Erlaubnis nutzt, können Sie dem hier beschriebenen Verfahren folgen https://de.player.fm/legal.

There was a day not long ago where a Google Chrome browser update left any page with a CodePen Embed on it throwing a whole big pile of red JavaScript errors in the console. Not ideal, obviously.

The change was related to how the browser handles allow attributes on iframes (i.e. ). CodePen was calculating the appropriate values inside an iframe for a <em>nested</em> iframe. That must have been a security issue of sorts, as now those values need to be present on the <em>outside</em> iframe as well.</p> <p><a href="https://blog.codepen.io/2025/10/20/google-chrome-iframe-allow-permissions-problems/">We documented all this in a blog post</a> so hopefully we could get some attention from Chrome on this, and for other browser makers as well since it affects all of us. </p> <p>And I posted it on the ol' social media:</p> <p>Huge thanks to Bramus Van Damme who saw this, triaged it at Chrome, and had a resolution within a day:</p> <p>I think <a href="https://chromium-review.googlesource.com/c/chromium/src/+/7074672">the patch</a> is a great change so hats off to everyone involved for getting it done so quickly. It's already in Canary and don't really know when it'll get the stable but that sure will be good. It follows how Safari is doing things where values that aren't understood are just ignored (which we think is fine and inline with how HTML normally works). </p> <p>Fortunately we were able to mitigate the problem <em>a little</em> until then. For <em>most</em> Embedded Pens, a <script> is loaded on the page embedding it, and we dynamically create the <iframe> for you. This is just nice as it makes making an accessible fallback easier and gives you access to API-ish features for the embeds. We were able to augment that script to do a little browser user-agent sniffing and apply the correct set of allow attributes on the iframe, as to avoid those JavaScript errors we were seeing.</p> <p>But there's the rub: we'd rather not do any user-agent sniffing at all. </p> <p>If we could just put <em>all</em> the possible allow attributes we want on there, and not be terribly concerned if any particular browser didn't support any particular value, that would be ideal. We just can't have the scary console errors, out of concern for our users who may not understand them. </p> <p>Where we're at in the saga now is that:</p> <ol class="wp-block-list"> <li>We're waiting for the change to Chrome to get to stable.</li> <li>We're hoping Safari stays the way it is.</li> <li>OH HI FIREFOX.</li> </ol> <p>On that last point, if we put all the allow attributes we would want to on an <iframe> in Firefox, we also get console-bombed. This time not with red-errors but with yellow-warnings. </p> <p>So yes, hi Firefox, if you could also not display these warnings (unless a reporting URL is set up) that would be great. We'd be one less website out there relying on user-agent sniffing. </p>

  continue reading

171 Episoden

#Tech Startups #Business #Entrepreneur #CodePen Blog #Tech #I Got
Artwork

417: Iframe Allow Attribute Saga

CodePen Radio

78 subscribers

published

Abspielen Abspielen
iconTeilen
 
MP3Episode-Home
Manage episode 520143023 series 181913
Inhalt bereitgestellt von CodePen Blog. Alle Podcast-Inhalte, einschließlich Episoden, Grafiken und Podcast-Beschreibungen, werden direkt von CodePen Blog oder seinem Podcast-Plattformpartner hochgeladen und bereitgestellt. Wenn Sie glauben, dass jemand Ihr urheberrechtlich geschütztes Werk ohne Ihre Erlaubnis nutzt, können Sie dem hier beschriebenen Verfahren folgen https://de.player.fm/legal.

There was a day not long ago where a Google Chrome browser update left any page with a CodePen Embed on it throwing a whole big pile of red JavaScript errors in the console. Not ideal, obviously.

The change was related to how the browser handles allow attributes on iframes (i.e. ). CodePen was calculating the appropriate values inside an iframe for a <em>nested</em> iframe. That must have been a security issue of sorts, as now those values need to be present on the <em>outside</em> iframe as well.</p> <p><a href="https://blog.codepen.io/2025/10/20/google-chrome-iframe-allow-permissions-problems/">We documented all this in a blog post</a> so hopefully we could get some attention from Chrome on this, and for other browser makers as well since it affects all of us. </p> <p>And I posted it on the ol' social media:</p> <p>Huge thanks to Bramus Van Damme who saw this, triaged it at Chrome, and had a resolution within a day:</p> <p>I think <a href="https://chromium-review.googlesource.com/c/chromium/src/+/7074672">the patch</a> is a great change so hats off to everyone involved for getting it done so quickly. It's already in Canary and don't really know when it'll get the stable but that sure will be good. It follows how Safari is doing things where values that aren't understood are just ignored (which we think is fine and inline with how HTML normally works). </p> <p>Fortunately we were able to mitigate the problem <em>a little</em> until then. For <em>most</em> Embedded Pens, a <script> is loaded on the page embedding it, and we dynamically create the <iframe> for you. This is just nice as it makes making an accessible fallback easier and gives you access to API-ish features for the embeds. We were able to augment that script to do a little browser user-agent sniffing and apply the correct set of allow attributes on the iframe, as to avoid those JavaScript errors we were seeing.</p> <p>But there's the rub: we'd rather not do any user-agent sniffing at all. </p> <p>If we could just put <em>all</em> the possible allow attributes we want on there, and not be terribly concerned if any particular browser didn't support any particular value, that would be ideal. We just can't have the scary console errors, out of concern for our users who may not understand them. </p> <p>Where we're at in the saga now is that:</p> <ol class="wp-block-list"> <li>We're waiting for the change to Chrome to get to stable.</li> <li>We're hoping Safari stays the way it is.</li> <li>OH HI FIREFOX.</li> </ol> <p>On that last point, if we put all the allow attributes we would want to on an <iframe> in Firefox, we also get console-bombed. This time not with red-errors but with yellow-warnings. </p> <p>So yes, hi Firefox, if you could also not display these warnings (unless a reporting URL is set up) that would be great. We'd be one less website out there relying on user-agent sniffing. </p>

  continue reading

171 Episoden

#Tech Startups #Business #Entrepreneur #CodePen Blog #Tech #I Got

Alle Folgen

×
 
Loading …

Willkommen auf Player FM!

Player FM scannt gerade das Web nach Podcasts mit hoher Qualität, die du genießen kannst. Es ist die beste Podcast-App und funktioniert auf Android, iPhone und im Web. Melde dich an, um Abos geräteübergreifend zu synchronisieren.

 

Ähnelt CodePen Radio

Höre 500+ Themen zu
Player FM - Podcast-App
Gehen Sie mit der App Player FM offline!
Get it on App Store Get it on Google Play

Kurzanleitung

Top Podcasts
kicker Daily Podcast
Sportradio360 - Der Sportpodcast seit 2011
Sportgespräch
Wirtschaft im Gespräch
WDR 2 Kabarett
Die Blaue Stunde
Kultur heute
Ö1 Leporello
Das Verbrauchermagazin
Wissenschaftsmagazin
tagesschau: Die 20 Uhr Nachrichten (Audio)
Unboxing News - Deutschlandfunk Nova
happy, holy & confident® Dein Podcast fürs Herz und den Verstand
Wissenschaft im Brennpunkt
WDR 5 Quarks - Wissenschaft und mehr
Blaue Couch
WDR 5 Dok 5 - das Feature
Verbrechen
Der Benecke
Geheimakte
Player FM logo
Hilfe/FAQ | Upgrade | Werben
Kunst|Wirtschaft|Komödien|Wirtschaft|Unterhaltung|Nachrichten|Politik|Religion
Wissenschaft|Fußball|Sport|Geschichtenerzählen|Technologie|Wahre Kriminalfälle
Copyright 2025 | Datenschutzbestimmungen | Nutzungsbedingungen | | Urheberrechte ©
Episode being played series thumbnail
icon icon
Geschwindigkeit
Serie Einstellungen
1x
1x
Volume
100%
icon
icon icon
/

View Player FM in ...
Player FM
Browser
Chrome
Safari
Firefox
Hören Sie sich diese Show an, während Sie die Gegend erkunden
Abspielen