Bookmark: "Let websites framebust out of native apps"

2022-08-11

Bookmarked:

Let websites framebust out of native apps

holovaty.com

Adrian Holovaty highlights a massive security and privacy issue, as native apps on mobile OSs ignore the HTTP headers instructing a user agent to never display a website in a framed context. Instead, mobile apps may even display such pages with extraneous JavaScript trackers injected.

At the moment, the article points out, the power in this context is firmly in the hands of the native app and the OS. The interests of the user and the website provider are ignored at their expense.

Let’s hope starting this conversation may eventually lead to a change in conduct at industry level:

So my proposal is this: Apple and Google should honor the existing X-Frame-Options HTTP header in webviews. If a website is loaded into a webview, and the website includes the appropriate X-Frame-Options header, the mobile OS should immediately stop loading the webview and open the URL in the user’s preferred web browser.

I'm Sebastian, Sociologist and Interaction Designer. This journal is mostly about bringing together social science and design for inclusive, privacy-focused, and sustainable "human-first" digital strategies. I also tend to a "digital garden" with carefully curated resources.

My occasionally sent email newsletter has all of the above, and there is of course also an RSS feed or my Mastodon/Fediverse profile.

Discussion:

Name

Comment *

Available formatting commands

Use Markdown commands or their HTML equivalents to add simple formatting to your comment:

Text markup

*italic*, **bold**, ~~strikethrough~~, `code` and <mark>marked text</mark>.

Lists

- Unordered item 1
- Unordered list item 2

1. Ordered list item 1
2. Ordered list item 2

Quotations

> Quoted text

Code blocks

```
// A simple code block
```

```php
// Some PHP code
phpinfo();
```

Links

[Link text](https://example.com)

Full URLs are automatically converted into links.