Affecting Loading of external protocol URL in <iframe> is now blocked

Published: | Categories: Miscellaneous


On Firefox 66 and later, in order to avoid DoS-like attacks, external protocol URLs that don’t return any data can no longer be loaded in an <iframe>. The affected protocols include mailto that could be used to open an email client, as shown below:

<!-- This kind of URLs will be blocked from now on -->
<iframe src=""></iframe>
<iframe src="ircs://"></iframe>
<iframe src="itms://"></iframe>

Regular links like <a href="mailto:..."> and JavaScript code like location.href='mailto:...' will continue working.

Update: This change has been postponed to Firefox 67 so Mozilla developers can deal with site compatibility issues.