Summary Content in an <iframe> can generally navigate the top level browsing context unless explicitly forbidden by the sandbox attribute (sometimes called 'framebusting'). Restrict this ability to content that is processing a user gesture, unless it is same-origin to the parent. Motivation Framebusting was originally used by content that wanted to prevent being placed in an <iframe> but it's being abused. There are other, more specific tools to accomplish the original use case.
Documentation
Status in Chromium
Enabled by default (tracking bug) in:
- Chrome for desktop release 68
- Chrome for Android release 68
Consensus & Standardization
After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.
- No signal
- No signal
- No signal
- No signals
Owner
Last updated on 2020-11-09