Affecting Loading of external protocol URL in <iframe> is now blocked

Published: | Categories: Miscellaneous

Description

On Firefox 66 and later, in order to avoid DoS-like attacks, external protocol URLs that don’t return any data can no longer be loaded in an <iframe>. The affected protocols include mailto that could be used to open an email client, as shown below:

<!-- This kind of URLs will be blocked from now on -->
<iframe src="mailto:support@example.com"></iframe>
<iframe src="ircs://irc.mozilla.org/firefox"></iframe>
<iframe src="itms://itunes.apple.com/us/app/apple-store/id989804926"></iframe>

Regular links like <a href="mailto:..."> and JavaScript code like location.href='mailto:...' will continue working.

Update: This change has been postponed to Firefox 67 so Mozilla developers can deal with site compatibility issues.

References