Restrict framebusting ability by requiring a relevant user gesture unless it is same-origin to the parent

Summary Content in an <iframe> can generally navigate the top level browsing context unless explicitly forbidden by the sandbox attribute (sometimes called 'framebusting'). Restrict this ability to content that is processing a user gesture, unless it is same-origin to the parent. Motivation Framebusting was originally used by content that wanted to prevent being placed in an <iframe> but it's being abused. There are other, more specific tools to accomplish the original use case.

Documentation

• https://github.com/WICG/interventions/issues/16

Status in Chromium

Blink components: Blink

In development (launch bug)

Consensus & Standardization

• Firefox: No public signals
• Edge: No public signals
• Safari: No public signals
• Web Developers: No signals

Last updated on 2017-06-14