Deprecation of JavaScript iFrame Functions Begins

Chrome removes support for certain JavaScript iFrame functions, breaking websites and applications. The lack of timeline communication to developers forced Chrome to temporarily roll back the change.

There has long been a standing rule among developers, a sort of “prime directive” way to approach standards. That rule says, “Don’t break the internet.” It doesn’t matter what project you are working on or what you’re trying to do, just don’t break the internet. Yet that’s exactly what happened when Chrome removed support for certain JavaScript functions in iFrame (cross-domain) platforms. Removal of alert functions saw web apps and web pages break and lose all functionality over the last few weeks, causing Chrome to roll back the update to give devs time to prepare for the change.

The handling of the deprecation of some JavaScript functions, including alert(), confirm(), and prompt(), was not done well by Chrome. While they posted an Intent to Remove notice, citing security issues with iFrame alert functions, their timeline of deprecating the functions was not published. One day, they simply stopped working, much to the chagrin of devs worldwide. Which is why they rolled back the change, temporarily, to allow devs time to adjust for the change.

This change is also the first step in removing support for JavaScript dialogs in cross-origin iFrames on the web platform entirely. Yes, entirely. JavaScript dialogs are not going anywhere yet, but, at some point in the future, you will not be able to use them across domains AT ALL. 

According to CodePen’s Chris Coyier, which uses cross-origin iFrames for every customer, “For now, even the cross-origin removal is delayed until January 2022, but as far as we know this is going to proceed, and then subsequent steps will happen to remove them entirely. This is spearheaded by Chrome, but the status reports that both Firefox and Safari are on board with the change. Plus, this is a specced change, so I guess we can waggle our fingers literally everywhere here, if you, like me, feel like this wasn’t particularly well-handled.”

Indeed, the sentiment among devs is that this wasn’t well-handled at all. However, the good news is that there is now awareness that this is happening, whether we like it or not. The bad news is that JavaScript using iframe dialogs will break and have to be re-written with the new methods. It’s not just Chromium that is deprecating cross-origin iFrames, Firefox, Safari and Microsoft are all in line to do the same.

The ramifications of this are unknown. The question remains, why not update these functions rather than remove them entirely? Not only will this require an intense re-education for current devs to figure out new ways to provide the same functions to their users, but it will also cause users (and even some devs) to use older browsers longer. Using older browsers poses a security risk for businesses because they lack support. And if your business has a regular modernization cycle (which it should), then those older browsers cause technical debt your business doesn’t need.

As a business leader or owner, you want to make sure that all of your systems are up to date, that all software and known vulnerabilities in technology are patched, that tech debt is kept to a minimum. Most devs and internal IT teams are incredibly overworked and struggling to keep up with their daily tasks. Don’t make more work for them, bring in an expert who can help you ensure your business and security are modernized and stable. Big changes like this happen from time-to-time, so it’s important you have someone you can call at a moment’s notice for assistance. Build that relationship and make sure your business stays in business!

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY