Framebust out of webviews #347
Labels
Core
privacy-tracker
Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.
security-tracker
Group bringing to attention of security, or tracked by the security Group but not needing response.
Comments
svgeesus
added
Core
privacy-tracker
|
The Content Security Policy frame-ancestors could also be used. |
This was referenced Aug 14, 2022
|
A tool to list what gets injected via these webviews : https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser |
|
FYI, this is also being discussed in the WebView CG, WebView-CG/usage-and-challenges#39 being the most relevant thread (but this issue is related to several others) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
and others
Native apps typically open links to websites in a webview. This means that the app can track user behavior, including injecting script into the displayed third-party website. Users would likely prefer to visit the link in the native browser.
There is a similarity to the way websites would used
<frame>in the early days of the web to include, and control, third party websites. An existing solution, the X-Frame-Options HTTP header, was used to enable websites to break out of such frames.The same, existing solution should be enabled on webviews so that websites could express the desire to be viewed in a browser.
This was suggested by Adrian Holovaty in Let websites framebust out of native apps
The text was updated successfully, but these errors were encountered: