1

I have this situation:

A page from http://desktop.ourdomain.local contains an iframe with src="http://legacy-application.ourdomain.local"

http://legacy-application.ourdomain.local, makes extensive use of alerts and prompts, which worked fine until google released chrome 92, which states that this is no more an option (see https://www.chromestatus.com/feature/5148698084376576)

Tried many things among those explained here

And many trials about CORS, and many combinations of iframe sandboxing (allow-same-origin allow-scripts allow-modal ...)

Did anybody run into the same problem, and solved ?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
selganor
  • 79
  • 11
  • @Bravo, yes I know, but as the url suggests, it is a legacy-application... one of those things that you know to be working but you don't know how :) – selganor Jul 29 '21 at 13:48
  • ahh, OK - well, does any chrome documentation explain any ways around it - it's not like google to make such a change without having some sort of workaround during some "phase in" period - oh, wait, that's exactly what google does – Bravo Jul 29 '21 at 13:50
  • Having read some of the discussion etc, this is in a "deprecation trial" until version 96 - so ... there must be some way around it – Bravo Jul 29 '21 at 13:52
  • *Affected sites can use the origin trial to temporarily opt-out of this change* - that's helpful ... not – Bravo Jul 29 '21 at 13:54
  • 1
    https://groups.google.com/a/chromium.org/g/blink-dev/c/hTOXiBj3D6A/m/Uo8eLpUMBAAJ - *The only recourse you have is to register for the Origin Trial for Disable Different Origin Subframe Dialog Suppression & follow the Origin Trials Guide for Web Developers guide to add the token you receive upon registration to your iframe pages. This will buy you some extra time (until December 15th at this stage) to replace any JS dialogs in your application. Once the trial has ended, the behaviour you're experiencing in your application at the moment will be permanent.* – Bravo Jul 29 '21 at 13:58
  • I've registered and got a key to disable the chrome feature [here](https://developer.chrome.com/origintrials/#/register_trial/2541156089743802369) . Unfortunately the key works only for https environments, but upgrading from http to https the legacy application, should be easier than rewriting it (at least antil december ;-) ) – selganor Jul 30 '21 at 13:40

1 Answers1

0

As pointed out by @Bravo, google provides a way to "disable" the restriction, at least until they decide to keep it or remove, that will happen on december 15, when releasing chrome 96. here I was able to obtain a token that can be added as value of an "Origin-Trial" header on the pages requiring the feature to be disabled. The token does its job only if the sites are served in https, but this should be easier to solve than rewriting all the forms using alerts and confirms ! In the mean while I have the time to find a definitive solution.

selganor
  • 79
  • 11