Bookmark: "Let websites framebust out of native apps"

Sebastian Greger


Adrian Holovaty highlights a massive security and privacy issue, as native apps on mobile OSs ignore the HTTP headers instructing a user agent to never display a website in a framed context. Instead, mobile apps may even display such pages with extraneous JavaScript trackers injected.

At the moment, the article points out, the power in this context is firmly in the hands of the native app and the OS. The interests of the user and the website provider are ignored at their expense.

Let’s hope starting this conversation may eventually lead to a change in conduct at industry level:

So my proposal is this: Apple and Google should honor the existing X-Frame-Options HTTP header in webviews. If a website is loaded into a webview, and the website includes the appropriate X-Frame-Options header, the mobile OS should immediately stop loading the webview and open the URL in the user’s preferred web browser.

I'm Sebastian, Sociologist and Interaction Designer. This journal is mostly about bringing toge­ther social science and design for inclusive, privacy-focused, and sustainable "human-first" digital strategies. I also tend to a "digital garden" with carefully curated resources.

My occasionally sent email newsletter has all of the above, and there is of course also an RSS feed or my Mastodon/Fediverse profile.