Chrome 110, scheduled to roll out on February 7, 2023, contains a change to how it handles the Web Share API that improves privacy and security by requiring the Web Share API to explicitly allow third-party content.
This might not be something that an individual publisher needs to act on.
It’s probably more relevant on the developer side where they are making things like web apps that use the Web Share API.
Nevertheless, it’s good to know what it is for the rare situation when it might be useful for diagnosing why a webpage doesn’t work.
The Mozilla developer page describes the Web Share API:
“The Web Share API allows a site to share text, links, files, and other content to user-selected share targets, utilizing the sharing mechanisms of the underlying operating system.
These share targets typically include the system clipboard, email, contacts or messaging applications, and Bluetooth or Wi-Fi channels.
…Note: This API should not be confused with the Web Share Target API, which allows a website to specify itself as a share target”
An attribute is an HTML markup that modifies an HTML element in some way.
For example, the nofollow attribute modifies the <a> anchor element, by signaling the search engines that the link is not trusted.
The <iframe> is an HTML element and it can be modified with the allow=”web-share” attribute
An <iframe> allows a webpage to embed HTML, usually from another website.
Iframes are everywhere, such as in advertisements and embedded videos.
The problem with an iframe that contains content from another site is that it creates the possibility of showing unwanted content or allow malicious activities.
And that’s the problem that the allow=”web-share” attribute solves by setting a permission policy for the iframe.
This specific permission policy (allow=”web-share”) tells the browser that it’s okay to display 3rd party content from within an iframe.
Google’s announcement uses this example of the attribute in use:
<iframe allow="web-share" src="https://third-party.example.com/iframe.html"></iframe>
Google calls this a “a potentially breaking change in the Web Share API.”
The announcement warns:
“If a sharing action needs to happen in a third-party iframe, a recent spec change requires you to explicitly allow the operation.
Do this by adding an allow attribute to the <iframe> tag with a value of web-share.
This tells the browser that the embedding site allows the embedded third-party iframe to trigger the share action.”
Read the announcement at Google’s Chrome webpage:
New requirements for the Web Share API in third-party iframes
Featured image by Shutterstock/Krakenimages.com